Bv9ARM.ch01.html revision 71c66a876ecca77923638d3f94cc0783152b2f03
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering - Copyright (C) 2000-2003 Internet Software Consortium.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering - Permission to use, copy, modify, and distribute this software for any
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering - purpose with or without fee is hereby granted, provided that the above
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering - copyright notice and this permission notice appear in all copies.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering - PERFORMANCE OF THIS SOFTWARE.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<!-- $Id: Bv9ARM.ch01.html,v 1.30 2006/06/29 13:03:32 marka Exp $ -->
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<link rel="next" href="Bv9ARM.ch02.html" title="Chapter�2.�BIND Resource Requirements">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<table width="100%" summary="Navigation header">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<tr><th colspan="3" align="center">Chapter�1.�Introduction</th></tr>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<a accesskey="p" href="Bv9ARM.html">Prev</a>�</td>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<div class="titlepage"><div><div><h2 class="title">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<a name="Bv9ARM.ch01"></a>Chapter�1.�Introduction</h2></div></div></div>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569838">Scope of Document</a></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2568778">Organization of This Document</a></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569737">Conventions Used in This Document</a></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2570192">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570213">DNS Fundamentals</a></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570247">Domains and Domain Names</a></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570331">Zones</a></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2572661">Authoritative Name Servers</a></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2572970">Caching Name Servers</a></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2573032">Name Servers in Multiple Roles</a></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering The Internet Domain Name System (<acronym class="acronym">DNS</acronym>)
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering consists of the syntax
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering to specify the names of entities in the Internet in a hierarchical
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering manner, the rules used for delegating authority over names, and the
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering system implementation that actually maps names to Internet
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering addresses. <acronym class="acronym">DNS</acronym> data is maintained in a
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering group of distributed
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering hierarchical databases.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<div class="titlepage"><div><div><h2 class="title" style="clear: both">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<a name="id2569838"></a>Scope of Document</h2></div></div></div>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering The Berkeley Internet Name Domain
4d92e078e9d7e9a9d346065ea5e4afbafbdadb48Lennart Poettering (<acronym class="acronym">BIND</acronym>) implements an
4d92e078e9d7e9a9d346065ea5e4afbafbdadb48Lennart Poettering domain name server for a number of operating systems. This
4d92e078e9d7e9a9d346065ea5e4afbafbdadb48Lennart Poettering document provides basic information about the installation and
4d92e078e9d7e9a9d346065ea5e4afbafbdadb48Lennart Poettering care of the Internet Systems Consortium (<acronym class="acronym">ISC</acronym>)
4d92e078e9d7e9a9d346065ea5e4afbafbdadb48Lennart Poettering <acronym class="acronym">BIND</acronym> version 9 software package for
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering system administrators.
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering This version of the manual corresponds to BIND version 9.4.
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering<a name="id2568778"></a>Organization of This Document</h2></div></div></div>
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering In this document, <span class="emphasis"><em>Section 1</em></span> introduces
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Section 2</em></span>
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering environments. Information in <span class="emphasis"><em>Section 3</em></span> is
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering organized functionally, to aid in the process of installing the
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering <acronym class="acronym">BIND</acronym> 9 software. The task-oriented
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering section is followed by
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering <span class="emphasis"><em>Section 4</em></span>, which contains more advanced
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering concepts that the system administrator may need for implementing
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering certain options. <span class="emphasis"><em>Section 5</em></span>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering describes the <acronym class="acronym">BIND</acronym> 9 lightweight
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering resolver. The contents of <span class="emphasis"><em>Section 6</em></span> are
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering organized as in a reference manual to aid in the ongoing
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering maintenance of the software. <span class="emphasis"><em>Section 7</em></span> addresses
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering security considerations, and
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering <span class="emphasis"><em>Section 8</em></span> contains troubleshooting help. The
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering main body of the document is followed by several
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering <span class="emphasis"><em>Appendices</em></span> which contain useful reference
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering information, such as a <span class="emphasis"><em>Bibliography</em></span> and
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering historic information related to <acronym class="acronym">BIND</acronym>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering and the Domain Name
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<div class="titlepage"><div><div><h2 class="title" style="clear: both">
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<a name="id2569737"></a>Conventions Used in This Document</h2></div></div></div>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering In this document, we use the following general typographic
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<div class="informaltable"><table border="1">
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering <span class="emphasis"><em>To describe:</em></span>
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering <span class="emphasis"><em>We use the style:</em></span>
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering a pathname, filename, URL, hostname,
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering mailing list name, or new term or concept
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering <code class="filename">Fixed width</code>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering <strong class="userinput"><code>Fixed Width Bold</code></strong>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering program output
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering <code class="computeroutput">Fixed Width</code>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering The following conventions are used in descriptions of the
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering <acronym class="acronym">BIND</acronym> configuration file:</p>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering<div class="informaltable"><table border="1">
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering <span class="emphasis"><em>To describe:</em></span>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering <span class="emphasis"><em>We use the style:</em></span>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering Optional input
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering [<span class="optional">Text is enclosed in square brackets</span>]
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<a name="id2570192"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering The purpose of this document is to explain the installation
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering and upkeep of the <acronym class="acronym">BIND</acronym> software
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering package, and we
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering begin by reviewing the fundamentals of the Domain Name System
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering (<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
a98d5d64720bdf32e3b5f72f896b583e23f730adLennart Poettering<div class="titlepage"><div><div><h3 class="title">
a98d5d64720bdf32e3b5f72f896b583e23f730adLennart Poettering<a name="id2570213"></a>DNS Fundamentals</h3></div></div></div>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering The Domain Name System (DNS) is a hierarchical, distributed
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering database. It stores information for mapping Internet host names to
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering addresses and vice versa, mail routing information, and other data
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering used by Internet applications.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering Clients look up information in the DNS by calling a
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering <span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering The <acronym class="acronym">BIND</acronym> 9 software distribution
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering name server, <span><strong class="command">named</strong></span>, and two resolver
aaccc32cdc44b2b972946e44792d63ae17c089c2Lennart Poettering libraries, <span><strong class="command">liblwres</strong></span> and <span><strong class="command">libbind</strong></span>.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<div class="titlepage"><div><div><h3 class="title">
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<a name="id2570247"></a>Domains and Domain Names</h3></div></div></div>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering organizational or administrative boundaries. Each node of the tree,
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering node is the concatenation of all the labels on the path from the
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering node to the <span class="emphasis"><em>root</em></span> node. This is represented
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering in written form as a string of labels listed from right to left and
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering separated by dots. A label need only be unique within its parent
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering For example, a domain name for a host at the
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering company <span class="emphasis"><em>Example, Inc.</em></span> could be
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering <code class="literal">ourhost.example.com</code>,
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering where <code class="literal">com</code> is the
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering top level domain to which
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering <code class="literal">ourhost.example.com</code> belongs,
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering a subdomain of <code class="literal">com</code>, and
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering <code class="literal">ourhost</code> is the
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering name of the host.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering For administrative purposes, the name space is partitioned into
aad803af990f7c88e94427b9278d88afe3a12d38Lennart Poettering areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
aad803af990f7c88e94427b9278d88afe3a12d38Lennart Poettering extending down to the leaf nodes or to nodes where other zones
aad803af990f7c88e94427b9278d88afe3a12d38Lennart Poettering The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
aad803af990f7c88e94427b9278d88afe3a12d38Lennart Poettering <span class="emphasis"><em>DNS protocol</em></span>.
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering The data associated with each domain name is stored in the
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering Some of the supported resource record types are described in
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering <a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called “Types of Resource Records and When to Use Them”</a>.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering For more detailed information about the design of the DNS and
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering the DNS protocol, please refer to the standards documents listed in
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering <a href="Bv9ARM.ch09.html#rfcs" title="Request for Comments (RFCs)">the section called “Request for Comments (RFCs)”</a>.
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<div class="titlepage"><div><div><h3 class="title">
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<a name="id2570331"></a>Zones</h3></div></div></div>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering To properly operate a name server, it is important to understand
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering the difference between a <span class="emphasis"><em>zone</em></span>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering and a <span class="emphasis"><em>domain</em></span>.
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering As stated previously, a zone is a point of delegation in
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering the <acronym class="acronym">DNS</acronym> tree. A zone consists of
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering those contiguous parts of the domain
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering tree for which a name server has complete information and over which
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering it has authority. It contains all domain names from a certain point
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering downward in the domain tree except those which are delegated to
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering other zones. A delegation point is marked by one or more
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering <span class="emphasis"><em>NS records</em></span> in the
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering parent zone, which should be matched by equivalent NS records at
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering the root of the delegated zone.
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering For instance, consider the <code class="literal">example.com</code>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering domain which includes names
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering such as <code class="literal">host.aaa.example.com</code> and
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering <code class="literal">host.bbb.example.com</code> even though
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering the <code class="literal">example.com</code> zone includes
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering only delegations for the <code class="literal">aaa.example.com</code> and
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering <code class="literal">bbb.example.com</code> zones. A zone can
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering exactly to a single domain, but could also include only part of a
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering domain, the rest of which could be delegated to other
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering name servers. Every name in the <acronym class="acronym">DNS</acronym>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering <span class="emphasis"><em>domain</em></span>, even if it is
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering <span class="emphasis"><em>terminal</em></span>, that is, has no
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering <span class="emphasis"><em>subdomains</em></span>. Every subdomain is a domain and
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering every domain except the root is also a subdomain. The terminology is
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering gain a complete understanding of this difficult and subtle
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering Though <acronym class="acronym">BIND</acronym> is called a "domain name
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering it deals primarily in terms of zones. The master and slave
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering declarations in the <code class="filename">named.conf</code> file
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering zones, not domains. When you ask some other site if it is willing to
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering actually asking for slave service for some collection of zones.
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<div class="titlepage"><div><div><h3 class="title">
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<a name="id2572661"></a>Authoritative Name Servers</h3></div></div></div>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering Each zone is served by at least
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering one <span class="emphasis"><em>authoritative name server</em></span>,
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering which contains the complete data for the zone.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering To make the DNS tolerant of server and network failures,
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering most zones have two or more authoritative servers, on
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering different networks.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering Responses from authoritative servers have the "authoritative
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering answer" (AA) bit set in the response packets. This makes them
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering easy to identify when debugging DNS configurations using tools like
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering <span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called “Diagnostic Tools”</a>).
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<div class="titlepage"><div><div><h4 class="title">
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<a name="id2572684"></a>The Primary Master</h4></div></div></div>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering The authoritative server where the master copy of the zone
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering data is maintained is called the
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering <span class="emphasis"><em>primary master</em></span> server, or simply the
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering <span class="emphasis"><em>primary</em></span>. Typically it loads the zone
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering contents from some local file edited by humans or perhaps
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering generated mechanically from some other local file which is
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering edited by humans. This file is called the
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering <span class="emphasis"><em>zone file</em></span> or
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering <span class="emphasis"><em>master file</em></span>.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering In some cases, however, the master file may not be edited
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering by humans at all, but may instead be the result of
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering <span class="emphasis"><em>dynamic update</em></span> operations.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<div class="titlepage"><div><div><h4 class="title">
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<a name="id2572714"></a>Slave Servers</h4></div></div></div>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering the zone contents from another server using a replication process
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering known as a <span class="emphasis"><em>zone transfer</em></span>. Typically the data
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering transferred directly from the primary master, but it is also
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering to transfer it from another slave. In other words, a slave server
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering may itself act as a master to a subordinate slave server.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<div class="titlepage"><div><div><h4 class="title">
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<a name="id2572736"></a>Stealth Servers</h4></div></div></div>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering Usually all of the zone's authoritative servers are listed in
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering NS records in the parent zone. These NS records constitute
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering The authoritative servers are also listed in the zone file itself,
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering of the zone. You can list servers in the zone's top-level NS
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering records that are not in the parent's NS delegation, but you cannot
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering list servers in the parent's delegation that are not present at
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering the zone's top level.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering A <span class="emphasis"><em>stealth server</em></span> is a server that is
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering authoritative for a zone but is not listed in that zone's NS
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering records. Stealth servers can be used for keeping a local copy of
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering zone to speed up access to the zone's records or to make sure that
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering zone is available even if all the "official" servers for the zone
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering A configuration where the primary master server itself is a
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering stealth server is often referred to as a "hidden primary"
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering configuration. One use for this configuration is when the primary
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering is behind a firewall and therefore unable to communicate directly
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering with the outside world.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<div class="titlepage"><div><div><h3 class="title">
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<a name="id2572970"></a>Caching Name Servers</h3></div></div></div>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering The resolver libraries provided by most operating systems are
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering performing the full DNS resolution process by themselves by talking
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering directly to the authoritative servers. Instead, they rely on a
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering name server to perform the resolution on their behalf. Such a
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering <span class="emphasis"><em>recursive lookups</em></span> for local clients.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering To improve performance, recursive servers cache the results of
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering the lookups they perform. Since the processes of recursion and
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering caching are intimately connected, the terms
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering <span class="emphasis"><em>recursive server</em></span> and
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering <span class="emphasis"><em>caching server</em></span> are often used synonymously.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering The length of time for which a record may be retained in
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering the cache of a caching name server is controlled by the
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering Time To Live (TTL) field associated with each resource record.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<a name="id2573005"></a>Forwarding</h4></div></div></div>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering Even a caching name server does not necessarily perform
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering the complete recursive lookup itself. Instead, it can
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering <span class="emphasis"><em>forward</em></span> some or all of the queries
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering that it cannot satisfy from its cache to another caching name
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering There may be one or more forwarders,
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering and they are queried in turn until the list is exhausted or an
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering is found. Forwarders are typically used when you do not
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering wish all the servers at a given site to interact directly with the
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering the Internet servers. A typical scenario would involve a number
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering of internal <acronym class="acronym">DNS</acronym> servers and an
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering Internet firewall. Servers unable
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering to pass packets through the firewall would forward to the server
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering on the internal server's behalf.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<div class="titlepage"><div><div><h3 class="title">
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<a name="id2573032"></a>Name Servers in Multiple Roles</h3></div></div></div>
d1f9edafe7b832c507931640f32069d001916b0eLennart Poettering The <acronym class="acronym">BIND</acronym> name server can
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering simultaneously act as
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering a master for some zones, a slave for other zones, and as a caching
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering (recursive) server for a set of local clients.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering However, since the functions of authoritative name service
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering and caching/recursive name service are logically separate, it is
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering often advantageous to run them on separate server machines.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering A server that only provides authoritative name service
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering (an <span class="emphasis"><em>authoritative-only</em></span> server) can run with
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering recursion disabled, improving reliability and security.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering A server that is not authoritative for any zones and only provides
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering recursive service to local
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering clients (a <span class="emphasis"><em>caching-only</em></span> server)
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering does not need to be reachable from the Internet at large and can
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering be placed inside a firewall.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<table width="100%" summary="Navigation footer">
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<a accesskey="p" href="Bv9ARM.html">Prev</a>�</td>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<td width="40%" align="left" valign="top">BIND 9 Administrator Reference Manual�</td>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<td width="40%" align="right" valign="top">�Chapter�2.�<acronym class="acronym">BIND</acronym> Resource Requirements</td>