235N/A - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 235N/A - Copyright (C) 2000-2003 Internet Software Consortium. 235N/A - Permission to use, copy, modify, and/or distribute this software for any 235N/A - purpose with or without fee is hereby granted, provided that the above 235N/A - copyright notice and this permission notice appear in all copies. 235N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 235N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 235N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 235N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 235N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 235N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 235N/A - PERFORMANCE OF THIS SOFTWARE. 235N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
235N/A<
title>Chapter�1.�Introduction</
title>
235N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
235N/A<
link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
235N/A<
link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
879N/A<
link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
235N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
235N/A<
table width="100%" summary="Navigation header">
235N/A<
tr><
th colspan="3" align="center">Chapter�1.�Introduction</
th></
tr>
926N/A<
td width="20%" align="left">
235N/A<
th width="60%" align="center">�</
th>
235N/A<
div class="titlepage"><
div><
div><
h1 class="title">
235N/A<
p><
b>Table of Contents</
b></
p>
235N/A<
dt><
span class="section"><
a href="Bv9ARM.ch01.html#id-1.2.5">Organization of This Document</
a></
span></
dt>
235N/A<
dt><
span class="section"><
a href="Bv9ARM.ch01.html#id-1.2.6">Conventions Used in This Document</
a></
span></
dt>
235N/A<
dt><
span class="section"><
a href="Bv9ARM.ch01.html#id-1.2.7">The Domain Name System (<
acronym class="acronym">DNS</
acronym>)</
a></
span></
dt>
235N/A<
dt><
span class="section"><
a href="Bv9ARM.ch01.html#id-1.2.7.5">Domains and Domain Names</
a></
span></
dt>
235N/A<
dt><
span class="section"><
a href="Bv9ARM.ch01.html#id-1.2.7.7">Authoritative Name Servers</
a></
span></
dt>
565N/A<
dt><
span class="section"><
a href="Bv9ARM.ch01.html#id-1.2.7.9">Name Servers in Multiple Roles</
a></
span></
dt>
926N/A The Internet Domain Name System (<
acronym class="acronym">DNS</
acronym>)
625N/A to specify the names of entities in the Internet in a hierarchical
235N/A manner, the rules used for delegating authority over names, and the
235N/A system implementation that actually maps names to Internet
577N/A addresses. <
acronym class="acronym">DNS</
acronym> data is maintained in a
577N/A hierarchical databases.
235N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
235N/A<
a name="id-1.2.4"></
a>Scope of Document</
h2></
div></
div></
div>
235N/A The Berkeley Internet Name Domain
235N/A (<
acronym class="acronym">BIND</
acronym>) implements a
235N/A domain name server for a number of operating systems. This
235N/A document provides basic information about the installation and
235N/A care of the Internet Systems Consortium (<
acronym class="acronym">ISC</
acronym>)
315N/A <
acronym class="acronym">BIND</
acronym> version 9 software package for
429N/A <
p>This version of the manual corresponds to BIND version 9.11.</
p>
565N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
235N/A<
a name="id-1.2.5"></
a>Organization of This Document</
h2></
div></
div></
div>
235N/A In this document, <
span class="emphasis"><
em>Chapter 1</
em></
span> introduces
235N/A the basic <
acronym class="acronym">DNS</
acronym> and <
acronym class="acronym">BIND</
acronym> concepts. <
span class="emphasis"><
em>Chapter 2</
em></
span>
235N/A describes resource requirements for running <
acronym class="acronym">BIND</
acronym> in various
235N/A environments. Information in <
span class="emphasis"><
em>Chapter 3</
em></
span> is
235N/A <
span class="emphasis"><
em>task-oriented</
em></
span> in its presentation and is
235N/A organized functionally, to aid in the process of installing the
926N/A <
acronym class="acronym">BIND</
acronym> 9 software. The task-oriented
926N/A <
span class="emphasis"><
em>Chapter 4</
em></
span>, which contains more advanced
625N/A concepts that the system administrator may need for implementing
625N/A certain options. <
span class="emphasis"><
em>Chapter 5</
em></
span>
926N/A describes the <
acronym class="acronym">BIND</
acronym> 9 lightweight
926N/A resolver. The contents of <
span class="emphasis"><
em>Chapter 6</
em></
span> are
926N/A organized as in a reference manual to aid in the ongoing
625N/A maintenance of the software. <
span class="emphasis"><
em>Chapter 7</
em></
span> addresses
625N/A security considerations, and
625N/A <
span class="emphasis"><
em>Chapter 8</
em></
span> contains troubleshooting help. The
625N/A main body of the document is followed by several
625N/A <
span class="emphasis"><
em>appendices</
em></
span> which contain useful reference
577N/A information, such as a <
span class="emphasis"><
em>bibliography</
em></
span> and
577N/A historic information related to <
acronym class="acronym">BIND</
acronym>
315N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
315N/A<
a name="id-1.2.6"></
a>Conventions Used in This Document</
h2></
div></
div></
div>
577N/A In this document, we use the following general typographic
235N/A <
div class="informaltable">
235N/A<
col width="3.000in" class="1">
235N/A<
col width="2.625in" class="2">
235N/A <
span class="emphasis"><
em>To describe:</
em></
span>
235N/A <
span class="emphasis"><
em>We use the style:</
em></
span>
235N/A a pathname, filename, URL, hostname,
235N/A mailing list name, or new term or concept
235N/A <
code class="filename">Fixed width</
code>
235N/A <
strong class="userinput"><
code>Fixed Width Bold</
code></
strong>
235N/A <
code class="computeroutput">Fixed Width</
code>
429N/A The following conventions are used in descriptions of the
429N/A <
acronym class="acronym">BIND</
acronym> configuration file:</
p>
429N/A<
div class="informaltable">
429N/A<
col width="3.000in" class="1">
429N/A<
col width="2.625in" class="2">
429N/A <
span class="emphasis"><
em>To describe:</
em></
span>
235N/A <
span class="emphasis"><
em>We use the style:</
em></
span>
625N/A <
code class="literal">Fixed Width</
code>
926N/A <
code class="varname">Fixed Width</
code>
926N/A [<
span class="optional">Text is enclosed in square brackets</
span>]
926N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
926N/A<
a name="id-1.2.7"></
a>The Domain Name System (<
acronym class="acronym">DNS</
acronym>)</
h2></
div></
div></
div>
235N/A The purpose of this document is to explain the installation
926N/A and upkeep of the <
acronym class="acronym">BIND</
acronym> (Berkeley Internet
926N/A Name Domain) software package, and we
235N/A begin by reviewing the fundamentals of the Domain Name System
926N/A (<
acronym class="acronym">DNS</
acronym>) as they relate to <
acronym class="acronym">BIND</
acronym>.
429N/A<
div class="titlepage"><
div><
div><
h3 class="title">
926N/A<
a name="id-1.2.7.4"></
a>DNS Fundamentals</
h3></
div></
div></
div>
235N/A The Domain Name System (DNS) is a hierarchical, distributed
235N/A database. It stores information for mapping Internet host names to
235N/A addresses and vice versa, mail routing information, and other data
235N/A used by Internet applications.
235N/A Clients look up information in the DNS by calling a
235N/A <
span class="emphasis"><
em>resolver</
em></
span> library, which sends queries to one or
235N/A more <
span class="emphasis"><
em>name servers</
em></
span> and interprets the responses.
235N/A The <
acronym class="acronym">BIND</
acronym> 9 software distribution
235N/A name server, <
span class="command"><
strong>named</
strong></
span>, and a resolver
235N/A library, <
span class="command"><
strong>liblwres</
strong></
span>. The older
235N/A <
span class="command"><
strong>libbind</
strong></
span> resolver library is also available
235N/A from ISC as a separate download.
926N/A<
div class="titlepage"><
div><
div><
h3 class="title">
926N/A<
a name="id-1.2.7.5"></
a>Domains and Domain Names</
h3></
div></
div></
div>
235N/A The data stored in the DNS is identified by <
span class="emphasis"><
em>domain names</
em></
span> that are organized as a tree according to
926N/A organizational or administrative boundaries. Each node of the tree,
926N/A called a <
span class="emphasis"><
em>domain</
em></
span>, is given a label. The domain
926N/A node is the concatenation of all the labels on the path from the
926N/A node to the <
span class="emphasis"><
em>root</
em></
span> node. This is represented
235N/A in written form as a string of labels listed from right to left and
926N/A separated by dots. A label need only be unique within its parent
235N/A For example, a domain name for a host at the
926N/A company <
span class="emphasis"><
em>Example, Inc.</
em></
span> could be
235N/A where <
code class="literal">com</
code> is the
926N/A top level domain to which
235N/A <
code class="literal">example</
code> is
926N/A a subdomain of <
code class="literal">com</
code>, and
926N/A <
code class="literal">ourhost</
code> is the
926N/A For administrative purposes, the name space is partitioned into
926N/A areas called <
span class="emphasis"><
em>zones</
em></
span>, each starting at a node and
429N/A extending down to the leaf nodes or to nodes where other zones
926N/A The data for each zone is stored in a <
span class="emphasis"><
em>name server</
em></
span>, which answers queries about the zone using the
429N/A <
span class="emphasis"><
em>DNS protocol</
em></
span>.
235N/A The data associated with each domain name is stored in the
235N/A form of <
span class="emphasis"><
em>resource records</
em></
span> (<
acronym class="acronym">RR</
acronym>s).
235N/A Some of the supported resource record types are described in
235N/A <
a class="xref" href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called “Types of Resource Records and When to Use Them”</
a>.
235N/A For more detailed information about the design of the DNS and
235N/A the DNS protocol, please refer to the standards documents listed in
235N/A <
a class="xref" href="Bv9ARM.ch11.html#rfcs" title="Request for Comments (RFCs)">the section called “Request for Comments (RFCs)”</
a>.
242N/A<
div class="titlepage"><
div><
div><
h3 class="title">
235N/A<
a name="id-1.2.7.6"></
a>Zones</
h3></
div></
div></
div>
926N/A To properly operate a name server, it is important to understand
926N/A the difference between a <
span class="emphasis"><
em>zone</
em></
span>
235N/A and a <
span class="emphasis"><
em>domain</
em></
span>.
926N/A As stated previously, a zone is a point of delegation in
926N/A the <
acronym class="acronym">DNS</
acronym> tree. A zone consists of
235N/A those contiguous parts of the domain
926N/A tree for which a name server has complete information and over which
926N/A it has authority. It contains all domain names from a certain point
315N/A downward in the domain tree except those which are delegated to
926N/A other zones. A delegation point is marked by one or more
926N/A <
span class="emphasis"><
em>NS records</
em></
span> in the
235N/A parent zone, which should be matched by equivalent NS records at
926N/A the root of the delegated zone.
235N/A domain which includes names
384N/A exactly to a single domain, but could also include only part of a
384N/A domain, the rest of which could be delegated to other
384N/A name servers. Every name in the <
acronym class="acronym">DNS</
acronym>
384N/A <
span class="emphasis"><
em>domain</
em></
span>, even if it is
384N/A <
span class="emphasis"><
em>terminal</
em></
span>, that is, has no
384N/A <
span class="emphasis"><
em>subdomains</
em></
span>. Every subdomain is a domain and
235N/A every domain except the root is also a subdomain. The terminology is
235N/A not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
384N/A gain a complete understanding of this difficult and subtle
384N/A Though <
acronym class="acronym">BIND</
acronym> is called a "domain name
926N/A it deals primarily in terms of zones. The master and slave
384N/A zones, not domains. When you ask some other site if it is willing to
384N/A be a slave server for your <
span class="emphasis"><
em>domain</
em></
span>, you are
384N/A actually asking for slave service for some collection of zones.
235N/A<
div class="titlepage"><
div><
div><
h3 class="title">
237N/A<
a name="id-1.2.7.7"></
a>Authoritative Name Servers</
h3></
div></
div></
div>
384N/A Each zone is served by at least
384N/A one <
span class="emphasis"><
em>authoritative name server</
em></
span>,
384N/A which contains the complete data for the zone.
384N/A To make the DNS tolerant of server and network failures,
235N/A most zones have two or more authoritative servers, on
429N/A Responses from authoritative servers have the "authoritative
429N/A answer" (AA) bit set in the response packets. This makes them
429N/A easy to identify when debugging DNS configurations using tools like
429N/A <
span class="command"><
strong>dig</
strong></
span> (<
a class="xref" href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called “Diagnostic Tools”</
a>).
429N/A<
div class="titlepage"><
div><
div><
h4 class="title">
429N/A<
a name="id-1.2.7.7.5"></
a>The Primary Master</
h4></
div></
div></
div>
429N/A The authoritative server where the master copy of the zone
429N/A data is maintained is called the
429N/A <
span class="emphasis"><
em>primary master</
em></
span> server, or simply the
429N/A <
span class="emphasis"><
em>primary</
em></
span>. Typically it loads the zone
235N/A contents from some local file edited by humans or perhaps
235N/A generated mechanically from some other local file which is
236N/A edited by humans. This file is called the
235N/A <
span class="emphasis"><
em>zone file</
em></
span> or
235N/A <
span class="emphasis"><
em>master file</
em></
span>.
235N/A In some cases, however, the master file may not be edited
242N/A by humans at all, but may instead be the result of
235N/A <
span class="emphasis"><
em>dynamic update</
em></
span> operations.
235N/A<
div class="titlepage"><
div><
div><
h4 class="title">
235N/A<
a name="id-1.2.7.7.6"></
a>Slave Servers</
h4></
div></
div></
div>
235N/A The other authoritative servers, the <
span class="emphasis"><
em>slave</
em></
span>
235N/A servers (also known as <
span class="emphasis"><
em>secondary</
em></
span> servers)
235N/A the zone contents from another server using a replication process
565N/A known as a <
span class="emphasis"><
em>zone transfer</
em></
span>. Typically the data
235N/A transferred directly from the primary master, but it is also
879N/A to transfer it from another slave. In other words, a slave server
879N/A may itself act as a master to a subordinate slave server.
235N/A<
div class="titlepage"><
div><
div><
h4 class="title">
315N/A<
a name="id-1.2.7.7.7"></
a>Stealth Servers</
h4></
div></
div></
div>
242N/A Usually all of the zone's authoritative servers are listed in
384N/A NS records in the parent zone. These NS records constitute
384N/A a <
span class="emphasis"><
em>delegation</
em></
span> of the zone from the parent.
384N/A The authoritative servers are also listed in the zone file itself,
384N/A at the <
span class="emphasis"><
em>top level</
em></
span> or <
span class="emphasis"><
em>apex</
em></
span>
384N/A of the zone. You can list servers in the zone's top-level NS
384N/A records that are not in the parent's NS delegation, but you cannot
384N/A list servers in the parent's delegation that are not present at
384N/A A <
span class="emphasis"><
em>stealth server</
em></
span> is a server that is
384N/A authoritative for a zone but is not listed in that zone's NS
384N/A records. Stealth servers can be used for keeping a local copy of
384N/A zone to speed up access to the zone's records or to make sure that
384N/A zone is available even if all the "official" servers for the zone
625N/A A configuration where the primary master server itself is a
625N/A stealth server is often referred to as a "hidden primary"
625N/A configuration. One use for this configuration is when the primary
625N/A is behind a firewall and therefore unable to communicate directly
625N/A with the outside world.
625N/A<
div class="titlepage"><
div><
div><
h3 class="title">
926N/A<
a name="id-1.2.7.8"></
a>Caching Name Servers</
h3></
div></
div></
div>
625N/A The resolver libraries provided by most operating systems are
625N/A <
span class="emphasis"><
em>stub resolvers</
em></
span>, meaning that they are not
625N/A performing the full DNS resolution process by themselves by talking
625N/A directly to the authoritative servers. Instead, they rely on a
625N/A name server to perform the resolution on their behalf. Such a
625N/A is called a <
span class="emphasis"><
em>recursive</
em></
span> name server; it performs
625N/A <
span class="emphasis"><
em>recursive lookups</
em></
span> for local clients.
625N/A To improve performance, recursive servers cache the results of
235N/A the lookups they perform. Since the processes of recursion and
242N/A caching are intimately connected, the terms
242N/A <
span class="emphasis"><
em>recursive server</
em></
span> and
384N/A <
span class="emphasis"><
em>caching server</
em></
span> are often used synonymously.
384N/A The length of time for which a record may be retained in
384N/A the cache of a caching name server is controlled by the
384N/A Time To Live (TTL) field associated with each resource record.
315N/A<
div class="titlepage"><
div><
div><
h4 class="title">
315N/A<
a name="id-1.2.7.8.6"></
a>Forwarding</
h4></
div></
div></
div>
315N/A Even a caching name server does not necessarily perform
384N/A the complete recursive lookup itself. Instead, it can
384N/A <
span class="emphasis"><
em>forward</
em></
span> some or all of the queries
926N/A that it cannot satisfy from its cache to another caching name
384N/A commonly referred to as a <
span class="emphasis"><
em>forwarder</
em></
span>.
384N/A There may be one or more forwarders,
384N/A and they are queried in turn until the list is exhausted or an
315N/A is found. Forwarders are typically used when you do not
235N/A wish all the servers at a given site to interact directly with the
384N/A the Internet servers. A typical scenario would involve a number
384N/A of internal <
acronym class="acronym">DNS</
acronym> servers and an
384N/A Internet firewall. Servers unable
384N/A to pass packets through the firewall would forward to the server
384N/A that can do it, and that server would query the Internet <
acronym class="acronym">DNS</
acronym> servers
384N/A on the internal server's behalf.
384N/A<
div class="titlepage"><
div><
div><
h3 class="title">
384N/A<
a name="id-1.2.7.9"></
a>Name Servers in Multiple Roles</
h3></
div></
div></
div>
384N/A The <
acronym class="acronym">BIND</
acronym> name server can
384N/A a master for some zones, a slave for other zones, and as a caching
384N/A (recursive) server for a set of local clients.
384N/A However, since the functions of authoritative name service
384N/A often advantageous to run them on separate server machines.
788N/A A server that only provides authoritative name service
788N/A (an <
span class="emphasis"><
em>authoritative-only</
em></
span> server) can run with
788N/A recursion disabled, improving reliability and security.
788N/A A server that is not authoritative for any zones and only provides
788N/A recursive service to local
788N/A clients (a <
span class="emphasis"><
em>caching-only</
em></
span> server)
788N/A does not need to be reachable from the Internet at large and can
788N/A be placed inside a firewall.
235N/A<
table width="100%" summary="Navigation footer">
384N/A<
td width="40%" align="left">
384N/A<
td width="20%" align="center">�</
td>
384N/A<
td width="40%" align="left" valign="top">BIND 9 Administrator Reference Manual�</
td>
235N/A<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
235N/A<
td width="40%" align="right" valign="top">�Chapter�2.�<
acronym class="acronym">BIND</
acronym> Resource Requirements</
td>