Bv9ARM.ch01.html revision 38a5df33f461f2379639ef95d282d3658f68ed04
13faa91230bde46da937bf33010b9accc5bdeb59sd<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
13faa91230bde46da937bf33010b9accc5bdeb59sd - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
13faa91230bde46da937bf33010b9accc5bdeb59sd - This Source Code Form is subject to the terms of the Mozilla Public
13faa91230bde46da937bf33010b9accc5bdeb59sd - License, v. 2.0. If a copy of the MPL was not distributed with this
13faa91230bde46da937bf33010b9accc5bdeb59sd - file, You can obtain one at http://mozilla.org/MPL/2.0/.
13faa91230bde46da937bf33010b9accc5bdeb59sd<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
13faa91230bde46da937bf33010b9accc5bdeb59sd<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
13faa91230bde46da937bf33010b9accc5bdeb59sd<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
13faa91230bde46da937bf33010b9accc5bdeb59sd<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
13faa91230bde46da937bf33010b9accc5bdeb59sd<link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
13faa91230bde46da937bf33010b9accc5bdeb59sd<link rel="next" href="Bv9ARM.ch02.html" title="Chapter�2.�BIND Resource Requirements">
13faa91230bde46da937bf33010b9accc5bdeb59sd<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
13faa91230bde46da937bf33010b9accc5bdeb59sd<tr><th colspan="3" align="center">Chapter�1.�Introduction</th></tr>
13faa91230bde46da937bf33010b9accc5bdeb59sd<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="Bv9ARM.ch01"></a>Chapter�1.�Introduction</h1></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="section"><a href="Bv9ARM.ch01.html#doc_scope">Scope of Document</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="section"><a href="Bv9ARM.ch01.html#organization">Organization of This Document</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="section"><a href="Bv9ARM.ch01.html#conventions">Conventions Used in This Document</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_overview">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_fundamentals">DNS Fundamentals</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="section"><a href="Bv9ARM.ch01.html#domain_names">Domains and Domain Names</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="section"><a href="Bv9ARM.ch01.html#zones">Zones</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="section"><a href="Bv9ARM.ch01.html#auth_servers">Authoritative Name Servers</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="section"><a href="Bv9ARM.ch01.html#cache_servers">Caching Name Servers</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="section"><a href="Bv9ARM.ch01.html#multi_role">Name Servers in Multiple Roles</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd The Internet Domain Name System (<acronym class="acronym">DNS</acronym>)
13faa91230bde46da937bf33010b9accc5bdeb59sd consists of the syntax
13faa91230bde46da937bf33010b9accc5bdeb59sd to specify the names of entities in the Internet in a hierarchical
13faa91230bde46da937bf33010b9accc5bdeb59sd manner, the rules used for delegating authority over names, and the
13faa91230bde46da937bf33010b9accc5bdeb59sd system implementation that actually maps names to Internet
13faa91230bde46da937bf33010b9accc5bdeb59sd addresses. <acronym class="acronym">DNS</acronym> data is maintained in a
13faa91230bde46da937bf33010b9accc5bdeb59sd group of distributed
13faa91230bde46da937bf33010b9accc5bdeb59sd hierarchical databases.
13faa91230bde46da937bf33010b9accc5bdeb59sd<div class="titlepage"><div><div><h2 class="title" style="clear: both">
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="doc_scope"></a>Scope of Document</h2></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd The Berkeley Internet Name Domain
13faa91230bde46da937bf33010b9accc5bdeb59sd domain name server for a number of operating systems. This
13faa91230bde46da937bf33010b9accc5bdeb59sd document provides basic information about the installation and
13faa91230bde46da937bf33010b9accc5bdeb59sd care of the Internet Systems Consortium (<acronym class="acronym">ISC</acronym>)
13faa91230bde46da937bf33010b9accc5bdeb59sd <acronym class="acronym">BIND</acronym> version 9 software package for
13faa91230bde46da937bf33010b9accc5bdeb59sd system administrators.
13faa91230bde46da937bf33010b9accc5bdeb59sd <p>This version of the manual corresponds to BIND version 9.11.</p>
13faa91230bde46da937bf33010b9accc5bdeb59sd<div class="titlepage"><div><div><h2 class="title" style="clear: both">
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="organization"></a>Organization of This Document</h2></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
13faa91230bde46da937bf33010b9accc5bdeb59sd the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
13faa91230bde46da937bf33010b9accc5bdeb59sd environments. Information in <span class="emphasis"><em>Chapter 3</em></span> is
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
13faa91230bde46da937bf33010b9accc5bdeb59sd organized functionally, to aid in the process of installing the
13faa91230bde46da937bf33010b9accc5bdeb59sd <acronym class="acronym">BIND</acronym> 9 software. The task-oriented
13faa91230bde46da937bf33010b9accc5bdeb59sd section is followed by
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>Chapter 4</em></span>, which contains more advanced
13faa91230bde46da937bf33010b9accc5bdeb59sd concepts that the system administrator may need for implementing
13faa91230bde46da937bf33010b9accc5bdeb59sd certain options. <span class="emphasis"><em>Chapter 5</em></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd describes the <acronym class="acronym">BIND</acronym> 9 lightweight
13faa91230bde46da937bf33010b9accc5bdeb59sd resolver. The contents of <span class="emphasis"><em>Chapter 6</em></span> are
13faa91230bde46da937bf33010b9accc5bdeb59sd organized as in a reference manual to aid in the ongoing
13faa91230bde46da937bf33010b9accc5bdeb59sd maintenance of the software. <span class="emphasis"><em>Chapter 7</em></span> addresses
25351652d920ae27c5a56c199da581033ce763f6Vuong Nguyen security considerations, and
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>Chapter 8</em></span> contains troubleshooting help. The
13faa91230bde46da937bf33010b9accc5bdeb59sd main body of the document is followed by several
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk <span class="emphasis"><em>appendices</em></span> which contain useful reference
13faa91230bde46da937bf33010b9accc5bdeb59sd information, such as a <span class="emphasis"><em>bibliography</em></span> and
13faa91230bde46da937bf33010b9accc5bdeb59sd historic information related to <acronym class="acronym">BIND</acronym>
13faa91230bde46da937bf33010b9accc5bdeb59sd and the Domain Name
13faa91230bde46da937bf33010b9accc5bdeb59sd<div class="titlepage"><div><div><h2 class="title" style="clear: both">
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="conventions"></a>Conventions Used in This Document</h2></div></div></div>
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk In this document, we use the following general typographic
13faa91230bde46da937bf33010b9accc5bdeb59sd conventions:
13faa91230bde46da937bf33010b9accc5bdeb59sd a pathname, filename, URL, hostname,
13faa91230bde46da937bf33010b9accc5bdeb59sd mailing list name, or new term or concept
13faa91230bde46da937bf33010b9accc5bdeb59sd literal user
13faa91230bde46da937bf33010b9accc5bdeb59sd <strong class="userinput"><code>Fixed Width Bold</code></strong>
13faa91230bde46da937bf33010b9accc5bdeb59sd program output
13faa91230bde46da937bf33010b9accc5bdeb59sd The following conventions are used in descriptions of the
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk <acronym class="acronym">BIND</acronym> configuration file:</p>
13faa91230bde46da937bf33010b9accc5bdeb59sd</colgroup>
13faa91230bde46da937bf33010b9accc5bdeb59sd Optional input
13faa91230bde46da937bf33010b9accc5bdeb59sd [<span class="optional">Text is enclosed in square brackets</span>]
13faa91230bde46da937bf33010b9accc5bdeb59sd<div class="titlepage"><div><div><h2 class="title" style="clear: both">
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="dns_overview"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd The purpose of this document is to explain the installation
13faa91230bde46da937bf33010b9accc5bdeb59sd and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
13faa91230bde46da937bf33010b9accc5bdeb59sd Name Domain) software package, and we
13faa91230bde46da937bf33010b9accc5bdeb59sd begin by reviewing the fundamentals of the Domain Name System
13faa91230bde46da937bf33010b9accc5bdeb59sd (<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="dns_fundamentals"></a>DNS Fundamentals</h3></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd The Domain Name System (DNS) is a hierarchical, distributed
13faa91230bde46da937bf33010b9accc5bdeb59sd database. It stores information for mapping Internet host names to
13faa91230bde46da937bf33010b9accc5bdeb59sd addresses and vice versa, mail routing information, and other data
13faa91230bde46da937bf33010b9accc5bdeb59sd used by Internet applications.
13faa91230bde46da937bf33010b9accc5bdeb59sd Clients look up information in the DNS by calling a
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
13faa91230bde46da937bf33010b9accc5bdeb59sd more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
13faa91230bde46da937bf33010b9accc5bdeb59sd The <acronym class="acronym">BIND</acronym> 9 software distribution
13faa91230bde46da937bf33010b9accc5bdeb59sd contains a name server, <span class="command"><strong>named</strong></span>, and a
13faa91230bde46da937bf33010b9accc5bdeb59sd resolver library, <span class="command"><strong>liblwres</strong></span>.
9c94f155585ea35e938fea603bc227c685223abdCheng Sean Ye<div class="titlepage"><div><div><h3 class="title">
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="domain_names"></a>Domains and Domain Names</h3></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
13faa91230bde46da937bf33010b9accc5bdeb59sd organizational or administrative boundaries. Each node of the tree,
13faa91230bde46da937bf33010b9accc5bdeb59sd called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain
13faa91230bde46da937bf33010b9accc5bdeb59sd name of the
13faa91230bde46da937bf33010b9accc5bdeb59sd node is the concatenation of all the labels on the path from the
13faa91230bde46da937bf33010b9accc5bdeb59sd node to the <span class="emphasis"><em>root</em></span> node. This is represented
13faa91230bde46da937bf33010b9accc5bdeb59sd in written form as a string of labels listed from right to left and
13faa91230bde46da937bf33010b9accc5bdeb59sd separated by dots. A label need only be unique within its parent
13faa91230bde46da937bf33010b9accc5bdeb59sd For example, a domain name for a host at the
13faa91230bde46da937bf33010b9accc5bdeb59sd company <span class="emphasis"><em>Example, Inc.</em></span> could be
13faa91230bde46da937bf33010b9accc5bdeb59sd top level domain to which
13faa91230bde46da937bf33010b9accc5bdeb59sd <code class="literal">ourhost.example.com</code> belongs,
13faa91230bde46da937bf33010b9accc5bdeb59sd name of the host.
13faa91230bde46da937bf33010b9accc5bdeb59sd For administrative purposes, the name space is partitioned into
13faa91230bde46da937bf33010b9accc5bdeb59sd areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
13faa91230bde46da937bf33010b9accc5bdeb59sd extending down to the leaf nodes or to nodes where other zones
13faa91230bde46da937bf33010b9accc5bdeb59sd The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
13faa91230bde46da937bf33010b9accc5bdeb59sd The data associated with each domain name is stored in the
13faa91230bde46da937bf33010b9accc5bdeb59sd form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
13faa91230bde46da937bf33010b9accc5bdeb59sd Some of the supported resource record types are described in
13faa91230bde46da937bf33010b9accc5bdeb59sd <a class="xref" href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called “Types of Resource Records and When to Use Them”</a>.
13faa91230bde46da937bf33010b9accc5bdeb59sd For more detailed information about the design of the DNS and
13faa91230bde46da937bf33010b9accc5bdeb59sd the DNS protocol, please refer to the standards documents listed in
13faa91230bde46da937bf33010b9accc5bdeb59sd <a class="xref" href="Bv9ARM.ch11.html#rfcs" title="Request for Comments (RFCs)">the section called “Request for Comments (RFCs)”</a>.
13faa91230bde46da937bf33010b9accc5bdeb59sd To properly operate a name server, it is important to understand
13faa91230bde46da937bf33010b9accc5bdeb59sd the difference between a <span class="emphasis"><em>zone</em></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd As stated previously, a zone is a point of delegation in
13faa91230bde46da937bf33010b9accc5bdeb59sd the <acronym class="acronym">DNS</acronym> tree. A zone consists of
13faa91230bde46da937bf33010b9accc5bdeb59sd those contiguous parts of the domain
13faa91230bde46da937bf33010b9accc5bdeb59sd tree for which a name server has complete information and over which
13faa91230bde46da937bf33010b9accc5bdeb59sd it has authority. It contains all domain names from a certain point
13faa91230bde46da937bf33010b9accc5bdeb59sd downward in the domain tree except those which are delegated to
13faa91230bde46da937bf33010b9accc5bdeb59sd other zones. A delegation point is marked by one or more
13faa91230bde46da937bf33010b9accc5bdeb59sd parent zone, which should be matched by equivalent NS records at
13faa91230bde46da937bf33010b9accc5bdeb59sd the root of the delegated zone.
13faa91230bde46da937bf33010b9accc5bdeb59sd For instance, consider the <code class="literal">example.com</code>
13faa91230bde46da937bf33010b9accc5bdeb59sd domain which includes names
13faa91230bde46da937bf33010b9accc5bdeb59sd such as <code class="literal">host.aaa.example.com</code> and
13faa91230bde46da937bf33010b9accc5bdeb59sd <code class="literal">host.bbb.example.com</code> even though
13faa91230bde46da937bf33010b9accc5bdeb59sd the <code class="literal">example.com</code> zone includes
13faa91230bde46da937bf33010b9accc5bdeb59sd only delegations for the <code class="literal">aaa.example.com</code> and
13faa91230bde46da937bf33010b9accc5bdeb59sd <code class="literal">bbb.example.com</code> zones. A zone can
13faa91230bde46da937bf33010b9accc5bdeb59sd exactly to a single domain, but could also include only part of a
13faa91230bde46da937bf33010b9accc5bdeb59sd domain, the rest of which could be delegated to other
13faa91230bde46da937bf33010b9accc5bdeb59sd name servers. Every name in the <acronym class="acronym">DNS</acronym>
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>domain</em></span>, even if it is
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>terminal</em></span>, that is, has no
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>subdomains</em></span>. Every subdomain is a domain and
13faa91230bde46da937bf33010b9accc5bdeb59sd every domain except the root is also a subdomain. The terminology is
13faa91230bde46da937bf33010b9accc5bdeb59sd not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
13faa91230bde46da937bf33010b9accc5bdeb59sd gain a complete understanding of this difficult and subtle
13faa91230bde46da937bf33010b9accc5bdeb59sd Though <acronym class="acronym">BIND</acronym> is called a "domain name
13faa91230bde46da937bf33010b9accc5bdeb59sd it deals primarily in terms of zones. The master and slave
13faa91230bde46da937bf33010b9accc5bdeb59sd declarations in the <code class="filename">named.conf</code> file
13faa91230bde46da937bf33010b9accc5bdeb59sd zones, not domains. When you ask some other site if it is willing to
13faa91230bde46da937bf33010b9accc5bdeb59sd be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
13faa91230bde46da937bf33010b9accc5bdeb59sd actually asking for slave service for some collection of zones.
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="auth_servers"></a>Authoritative Name Servers</h3></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd Each zone is served by at least
13faa91230bde46da937bf33010b9accc5bdeb59sd one <span class="emphasis"><em>authoritative name server</em></span>,
13faa91230bde46da937bf33010b9accc5bdeb59sd which contains the complete data for the zone.
13faa91230bde46da937bf33010b9accc5bdeb59sd To make the DNS tolerant of server and network failures,
13faa91230bde46da937bf33010b9accc5bdeb59sd most zones have two or more authoritative servers, on
13faa91230bde46da937bf33010b9accc5bdeb59sd different networks.
13faa91230bde46da937bf33010b9accc5bdeb59sd Responses from authoritative servers have the "authoritative
13faa91230bde46da937bf33010b9accc5bdeb59sd answer" (AA) bit set in the response packets. This makes them
13faa91230bde46da937bf33010b9accc5bdeb59sd easy to identify when debugging DNS configurations using tools like
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="command"><strong>dig</strong></span> (<a class="xref" href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called “Diagnostic Tools”</a>).
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="primary_master"></a>The Primary Master</h4></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd The authoritative server where the master copy of the zone
13faa91230bde46da937bf33010b9accc5bdeb59sd data is maintained is called the
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>primary master</em></span> server, or simply the
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>primary</em></span>. Typically it loads the zone
13faa91230bde46da937bf33010b9accc5bdeb59sd contents from some local file edited by humans or perhaps
13faa91230bde46da937bf33010b9accc5bdeb59sd generated mechanically from some other local file which is
13faa91230bde46da937bf33010b9accc5bdeb59sd edited by humans. This file is called the
13faa91230bde46da937bf33010b9accc5bdeb59sd In some cases, however, the master file may not be edited
13faa91230bde46da937bf33010b9accc5bdeb59sd by humans at all, but may instead be the result of
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>dynamic update</em></span> operations.
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="slave_server"></a>Slave Servers</h4></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do the zone contents from another server using a replication process
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do known as a <span class="emphasis"><em>zone transfer</em></span>. Typically the data
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do transferred directly from the primary master, but it is also
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do to transfer it from another slave. In other words, a slave server
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do may itself act as a master to a subordinate slave server.
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do<a name="stealth_server"></a>Stealth Servers</h4></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd Usually all of the zone's authoritative servers are listed in
13faa91230bde46da937bf33010b9accc5bdeb59sd NS records in the parent zone. These NS records constitute
13faa91230bde46da937bf33010b9accc5bdeb59sd a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
13faa91230bde46da937bf33010b9accc5bdeb59sd The authoritative servers are also listed in the zone file itself,
13faa91230bde46da937bf33010b9accc5bdeb59sd at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd of the zone. You can list servers in the zone's top-level NS
13faa91230bde46da937bf33010b9accc5bdeb59sd records that are not in the parent's NS delegation, but you cannot
13faa91230bde46da937bf33010b9accc5bdeb59sd list servers in the parent's delegation that are not present at
13faa91230bde46da937bf33010b9accc5bdeb59sd the zone's top level.
13faa91230bde46da937bf33010b9accc5bdeb59sd A <span class="emphasis"><em>stealth server</em></span> is a server that is
13faa91230bde46da937bf33010b9accc5bdeb59sd authoritative for a zone but is not listed in that zone's NS
13faa91230bde46da937bf33010b9accc5bdeb59sd records. Stealth servers can be used for keeping a local copy of
13faa91230bde46da937bf33010b9accc5bdeb59sd zone to speed up access to the zone's records or to make sure that
13faa91230bde46da937bf33010b9accc5bdeb59sd zone is available even if all the "official" servers for the zone
13faa91230bde46da937bf33010b9accc5bdeb59sd inaccessible.
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk A configuration where the primary master server itself is a
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk stealth server is often referred to as a "hidden primary"
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk configuration. One use for this configuration is when the primary
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk is behind a firewall and therefore unable to communicate directly
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk with the outside world.
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk<a name="cache_servers"></a>Caching Name Servers</h3></div></div></div>
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk The resolver libraries provided by most operating systems are
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
13faa91230bde46da937bf33010b9accc5bdeb59sd capable of
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do performing the full DNS resolution process by themselves by talking
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do directly to the authoritative servers. Instead, they rely on a
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do name server to perform the resolution on their behalf. Such a
13faa91230bde46da937bf33010b9accc5bdeb59sd is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>recursive lookups</em></span> for local clients.
13faa91230bde46da937bf33010b9accc5bdeb59sd To improve performance, recursive servers cache the results of
13faa91230bde46da937bf33010b9accc5bdeb59sd the lookups they perform. Since the processes of recursion and
13faa91230bde46da937bf33010b9accc5bdeb59sd caching are intimately connected, the terms
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>recursive server</em></span> and
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>caching server</em></span> are often used synonymously.
13faa91230bde46da937bf33010b9accc5bdeb59sd The length of time for which a record may be retained in
13faa91230bde46da937bf33010b9accc5bdeb59sd the cache of a caching name server is controlled by the
13faa91230bde46da937bf33010b9accc5bdeb59sd Time To Live (TTL) field associated with each resource record.
13faa91230bde46da937bf33010b9accc5bdeb59sd Even a caching name server does not necessarily perform
13faa91230bde46da937bf33010b9accc5bdeb59sd the complete recursive lookup itself. Instead, it can
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do <span class="emphasis"><em>forward</em></span> some or all of the queries
13faa91230bde46da937bf33010b9accc5bdeb59sd that it cannot satisfy from its cache to another caching name
13faa91230bde46da937bf33010b9accc5bdeb59sd commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
13faa91230bde46da937bf33010b9accc5bdeb59sd There may be one or more forwarders,
13faa91230bde46da937bf33010b9accc5bdeb59sd and they are queried in turn until the list is exhausted or an
13faa91230bde46da937bf33010b9accc5bdeb59sd is found. Forwarders are typically used when you do not
13faa91230bde46da937bf33010b9accc5bdeb59sd wish all the servers at a given site to interact directly with the
13faa91230bde46da937bf33010b9accc5bdeb59sd the Internet servers. A typical scenario would involve a number
13faa91230bde46da937bf33010b9accc5bdeb59sd of internal <acronym class="acronym">DNS</acronym> servers and an
13faa91230bde46da937bf33010b9accc5bdeb59sd Internet firewall. Servers unable
13faa91230bde46da937bf33010b9accc5bdeb59sd to pass packets through the firewall would forward to the server
13faa91230bde46da937bf33010b9accc5bdeb59sd that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do on the internal server's behalf.