doc/arm/Bv9ARM.ch03.html

	Bv9ARM.ch03.html revision ea94d370123a5892f6c47a97f21d1b28d44bb168
5cd4555ad444fd391002ae32450572054369fd42Rob Austein<!--
5cd4555ad444fd391002ae32450572054369fd42Rob Austein - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Copyright (C) 2000-2003 Internet Software Consortium.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington -
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington -
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews-->
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<!-- $Id$ -->
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<html>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<head>
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews<title>Chapter�3.�Name Server Configuration</title>
b5ad6dfea4cc3e7d1d322ac99f1e5a31096837c4Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter�2.�BIND Resource Requirements">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<link rel="next" href="Bv9ARM.ch04.html" title="Chapter�4.�Advanced DNS Features">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</head>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<div class="navheader">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<table width="100%" summary="Navigation header">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<tr><th colspan="3" align="center">Chapter�3.�Name Server Configuration</th></tr>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<tr>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<td width="20%" align="left">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a>�</td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<th width="60%" align="center">�</th>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</tr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</table>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<hr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews<div class="chapter" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h2 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="Bv9ARM.ch03"></a>Chapter�3.�Name Server Configuration</h2></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="toc">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><b>Table of Contents</b></p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dl>
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><dl>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567771">A Caching-only Name Server</a></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567992">An Authoritative-only Name Server</a></span></dt>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</dl></dd>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568014">Load Balancing</a></span></dt>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568369">Name Server Operations</a></span></dt>
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews<dd><dl>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568374">Tools for Use With the Name Server Daemon</a></span></dt>
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570659">Signals</a></span></dt>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</dl></dd>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</dl>
b435b1ded3def3159f597953d21dffc1615cb250Brian Wellington</div>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<p>
9b6a170d22d61026d31bde87523f3320628b6ebcBrian Wellington      In this chapter we provide some suggested configurations along
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley      with guidelines for their use.  We suggest reasonable values for
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley      certain option settings.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley    </p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<div class="sect1" lang="en">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<div class="titlepage"><div><div><h2 class="title" style="clear: both">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="sect2" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="id2567771"></a>A Caching-only Name Server</h3></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          The following sample configuration is appropriate for a caching-only
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          name server for use by clients internal to a corporation.  All
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          queries
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley          from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          option.  Alternatively, the same effect could be achieved using
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          suitable
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          firewall rules.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<pre class="programlisting">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein// Two corporate subnets we wish to allow queries from.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinacl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinoptions {
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     // Working directory
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     directory "/etc/namedb";
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley     allow-query { corpnets; };
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein};
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein// Provide a reverse mapping for the loopback
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein// address 127.0.0.1
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinzone "0.0.127.in-addr.arpa" {
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley     type master;
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley     file "localhost.rev";
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley     notify no;
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley};
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</pre>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</div>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<div class="sect2" lang="en">
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews<div class="titlepage"><div><div><h3 class="title">
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews<a name="id2567992"></a>An Authoritative-only Name Server</h3></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          This sample configuration is for an authoritative-only server
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          that is the master server for "<code class="filename">example.com</code>"
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          and a slave for the subdomain "<code class="filename">eng.example.com</code>".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<pre class="programlisting">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinoptions {
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     // Working directory
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews     directory "/etc/namedb";
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews     // Do not allow access to cache
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley     allow-query-cache { none; };
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley     // This is the default
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     allow-query { any; };
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     // Do not provide recursive service
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     recursion no;
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein};
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein// Provide a reverse mapping for the loopback
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein// address 127.0.0.1
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halleyzone "0.0.127.in-addr.arpa" {
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley     type master;
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews     file "localhost.rev";
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews     notify no;
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein};
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein// We are the master server for example.com
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinzone "example.com" {
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     type master;
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     file "example.com.db";
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     // IP addresses of slave servers allowed to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     // transfer example.com
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     allow-transfer {
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          192.168.4.14;
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          192.168.5.53;
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     };
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews};
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews// We are a slave server for eng.example.com
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halleyzone "eng.example.com" {
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley     type slave;
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     file "eng.example.com.bk";
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     // IP address of eng.example.com master server
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein     masters { 192.168.4.12; };
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein};
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</pre>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="sect1" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="id2568014"></a>Load Balancing</h2></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley        A primitive form of load balancing can be achieved in
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley        the <acronym class="acronym">DNS</acronym> by using multiple records
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley        (such as multiple A records) for one name.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley      </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        For example, if you have three WWW servers with network addresses
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        following means that clients will connect to each machine one third
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        of the time:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="informaltable"><table border="1">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<colgroup>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<col>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<col>
b435b1ded3def3159f597953d21dffc1615cb250Brian Wellington<col>
b435b1ded3def3159f597953d21dffc1615cb250Brian Wellington<col>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<col>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</colgroup>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<tbody>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<tr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td>
b435b1ded3def3159f597953d21dffc1615cb250Brian Wellington                <p>
b435b1ded3def3159f597953d21dffc1615cb250Brian Wellington                  Name
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                </p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley              </td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                <p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                  TTL
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein              </td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                <p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                  CLASS
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein              </td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                <p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                  TYPE
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein              </td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                <p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                  Resource Record (RR) Data
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                </p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley              </td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</tr>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<tr>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                <p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                  <code class="literal">www</code>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein              </td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                <p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                  <code class="literal">600</code>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                </p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley              </td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                <p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                  <code class="literal">IN</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein              </td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                <p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                  <code class="literal">A</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                </p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley              </td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                <p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                  <code class="literal">10.0.0.1</code>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                </p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley              </td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</tr>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<tr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                <p></p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley              </td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                <p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                  <code class="literal">600</code>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein              </td>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews<td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                <p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                  <code class="literal">IN</code>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                </p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley              </td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                <p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                  <code class="literal">A</code>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                </p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley              </td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                <p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                  <code class="literal">10.0.0.2</code>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein              </td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</tr>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<tr>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                <p></p>
              </td>
<td>
                <p>
                  <code class="literal">600</code>
                </p>
              </td>
<td>
                <p>
                  <code class="literal">IN</code>
                </p>
              </td>
<td>
                <p>
                  <code class="literal">A</code>
                </p>
              </td>
<td>
                <p>
                  <code class="literal">10.0.0.3</code>
                </p>
              </td>
</tr>
</tbody>
</table></div>
<p>
        When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
        them and respond to the query with the records in a different
        order.  In the example above, clients will randomly receive
        records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
        will use the first record returned and discard the rest.
      </p>
<p>
        For more detail on ordering responses, check the
        <span><strong class="command">rrset-order</strong></span> sub-statement in the
        <span><strong class="command">options</strong></span> statement, see
        <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
      </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2568369"></a>Name Server Operations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2568374"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<p>
          This section describes several indispensable diagnostic,
          administrative and monitoring tools available to the system
          administrator for controlling and debugging the name server
          daemon.
        </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
<p>
            The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
            <span><strong class="command">nslookup</strong></span> programs are all command
            line tools
            for manually querying name servers.  They differ in style and
            output format.
          </p>
<div class="variablelist"><dl>
<dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt>
<dd>
<p>
                  The domain information groper (<span><strong class="command">dig</strong></span>)
                  is the most versatile and complete of these lookup tools.
                  It has two modes: simple interactive
                  mode for a single query, and batch mode which executes a
                  query for
                  each in a list of several query lines. All query options are
                  accessible
                  from the command line.
                </p>
<div class="cmdsynopsis"><p><code class="command">dig</code>  [@<em class="replaceable"><code>server</code></em>]  <em class="replaceable"><code>domain</code></em>  [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
<p>
                  The usual simple use of <span><strong class="command">dig</strong></span> will take the form
                </p>
<p>
                  <span><strong class="command">dig @server domain query-type query-class</strong></span>
                </p>
<p>
                  For more information and a list of available commands and
                  options, see the <span><strong class="command">dig</strong></span> man
                  page.
                </p>
</dd>
<dt><span class="term"><span><strong class="command">host</strong></span></span></dt>
<dd>
<p>
                  The <span><strong class="command">host</strong></span> utility emphasizes
                  simplicity
                  and ease of use.  By default, it converts
                  between host names and Internet addresses, but its
                  functionality
                  can be extended with the use of options.
                </p>
<div class="cmdsynopsis"><p><code class="command">host</code>  [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6]  <em class="replaceable"><code>hostname</code></em>  [<em class="replaceable"><code>server</code></em>]</p></div>
<p>
                  For more information and a list of available commands and
                  options, see the <span><strong class="command">host</strong></span> man
                  page.
                </p>
</dd>
<dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt>
<dd>
<p><span><strong class="command">nslookup</strong></span>
                  has two modes: interactive and
                  non-interactive. Interactive mode allows the user to
                  query name servers for information about various
                  hosts and domains or to print a list of hosts in a
                  domain. Non-interactive mode is used to print just
                  the name and requested information for a host or
                  domain.
                </p>
<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] |  [- [server]]]</p></div>
<p>
                  Interactive mode is entered when no arguments are given (the
                  default name server will be used) or when the first argument
                  is a
                  hyphen (`-') and the second argument is the host name or
                  Internet address
                  of a name server.
                </p>
<p>
                  Non-interactive mode is used when the name or Internet
                  address
                  of the host to be looked up is given as the first argument.
                  The
                  optional second argument specifies the host name or address
                  of a name server.
                </p>
<p>
                  Due to its arcane user interface and frequently inconsistent
                  behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
                  Use <span><strong class="command">dig</strong></span> instead.
                </p>
</dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
<p>
            Administrative tools play an integral part in the management
            of a server.
          </p>
<div class="variablelist"><dl>
<dt>
<a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span>
</dt>
<dd>
<p>
                  The <span><strong class="command">named-checkconf</strong></span> program
                  checks the syntax of a <code class="filename">named.conf</code> file.
                </p>
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
</dd>
<dt>
<a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span>
</dt>
<dd>
<p>
                  The <span><strong class="command">named-checkzone</strong></span> program
                  checks a master file for
                  syntax and consistency.
                </p>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>]  <em class="replaceable"><code>zone</code></em>  [<em class="replaceable"><code>filename</code></em>]</p></div>
</dd>
<dt>
<a name="named-compilezone"></a><span class="term"><span><strong class="command">named-compilezone</strong></span></span>
</dt>
<dd><p>
                  Similar to <span><strong class="command">named-checkzone,</strong></span> but
                  it always dumps the zone content to a specified file
                  (typically in a different format).
                </p></dd>
<dt>
<a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span>
</dt>
<dd>
<p>
                  The remote name daemon control
                  (<span><strong class="command">rndc</strong></span>) program allows the
                  system
                  administrator to control the operation of a name server.
                  Since <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
                  supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
                  utility except <span><strong class="command">ndc start</strong></span> and
                  <span><strong class="command">ndc restart</strong></span>, which were also
                  not supported in <span><strong class="command">ndc</strong></span>'s
                  channel mode.
                  If you run <span><strong class="command">rndc</strong></span> without any
                  options
                  it will display a usage message as follows:
                </p>
<div class="cmdsynopsis"><p><code class="command">rndc</code>  [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>]  <em class="replaceable"><code>command</code></em>  [<em class="replaceable"><code>command</code></em>...]</p></div>
<p>The <span><strong class="command">command</strong></span>
                  is one of the following:
                </p>
<div class="variablelist"><dl>
<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
<dd><p>
                        Reload configuration file and zones.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em>
                        [<span class="optional"><em class="replaceable"><code>class</code></em>
           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd><p>
                        Reload the given zone.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em>
                        [<span class="optional"><em class="replaceable"><code>class</code></em>
           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd><p>
                        Schedule zone maintenance for the given zone.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em>

                        [<span class="optional"><em class="replaceable"><code>class</code></em>
           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd><p>
                        Retransfer the given zone from the master.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em>
                        [<span class="optional"><em class="replaceable"><code>class</code></em>
           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
                        Fetch all DNSSEC keys for the given zone
                        from the key directory (see
                        <span><strong class="command">key-directory</strong></span> in
                        <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
          Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
          Usage&#8221;</a>).  If they are within
                        their publication period, merge them into the
                        zone's DNSKEY RRset.  If the DNSKEY RRset
                        is changed, then the zone is automatically
                        re-signed with the new key set.
                      </p>
<p>
                        This command requires that the
                        <span><strong class="command">auto-dnssec</strong></span> zone option be set
                        to <code class="literal">allow</code> or
                        <code class="literal">maintain</code>,
                        and also requires the zone to be configured to
                        allow dynamic DNS.
                        See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for
                        more details.
                      </p>
</dd>
<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em>
                        [<span class="optional"><em class="replaceable"><code>class</code></em>
           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
                        Fetch all DNSSEC keys for the given zone
                        from the key directory (see
                        <span><strong class="command">key-directory</strong></span> in
                        <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
          Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
          Usage&#8221;</a>).  If they are within
                        their publication period, merge them into the
                        zone's DNSKEY RRset.  Unlike <span><strong class="command">rndc
                        sign</strong></span>, however, the zone is not
                        immediately re-signed by the new keys, but is
                        allowed to incrementally re-sign over time.
                      </p>
<p>
                        This command requires that the
                        <span><strong class="command">auto-dnssec</strong></span> zone option
                        be set to <code class="literal">maintain</code>,
                        and also requires the zone to be configured to
                        allow dynamic DNS.
                        See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for
                        more details.
                      </p>
</dd>
<dt><span class="term"><strong class="userinput"><code>freeze
                        [<span class="optional"><em class="replaceable"><code>zone</code></em>
       [<span class="optional"><em class="replaceable"><code>class</code></em>
           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
<dd><p>
                        Suspend updates to a dynamic zone.  If no zone is
                        specified, then all zones are suspended.  This allows
                        manual edits to be made to a zone normally updated by
                        dynamic update.  It also causes changes in the
                        journal file to be synced into the master file.
                        All dynamic update attempts will be refused while
                        the zone is frozen.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>thaw
                        [<span class="optional"><em class="replaceable"><code>zone</code></em>
       [<span class="optional"><em class="replaceable"><code>class</code></em>
           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
<dd><p>
                        Enable updates to a frozen dynamic zone.  If no
                        zone is specified, then all frozen zones are
                        enabled.  This causes the server to reload the zone
                        from disk, and re-enables dynamic updates after the
                        load has completed.  After a zone is thawed,
                        dynamic updates will no longer be refused.  If
                        the zone has changed and the
                        <span><strong class="command">ixfr-from-differences</strong></span> option is
                        in use, then the journal file will be updated to
                        reflect changes in the zone.  Otherwise, if the
                        zone has changed, any existing journal file will be
                        removed.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>sync
                        [<span class="optional">-clean</span>]
                        [<span class="optional"><em class="replaceable"><code>zone</code></em>
       [<span class="optional"><em class="replaceable"><code>class</code></em>
           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
<dd><p>
                        Sync changes in the journal file for a dynamic zone
                        to the master file.  If the "-clean" option is
                        specified, the journal file is also removed.  If
                        no zone is specified, then all zones are synced.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em>
                        [<span class="optional"><em class="replaceable"><code>class</code></em>
           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd><p>
                        Resend NOTIFY messages for the zone.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
<dd><p>
                        Reload the configuration file and load new zones,
                        but do not reload existing zone files even if they
                        have changed.
                        This is faster than a full <span><strong class="command">reload</strong></span> when there
                        is a large number of zones because it avoids the need
                        to examine the
                        modification times of the zones files.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus
                        [<span class="optional"><em class="replaceable"><code>zone</code></em>
       [<span class="optional"><em class="replaceable"><code>class</code></em>
           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
<dd><p>
                        Displays the current status of the given zone,
                        including the master file name and any include
                        files from which it was loaded, when it was most
                        recently loaded, the current serial number, the
                        number of nodes, whether the zone supports
                        dynamic updates, whether the zone is DNSSEC
                        signed, whether it uses automatic DNSSEC key
                        management or inline signing, and the scheduled
                        refresh or expiry times for the zone.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
<dd><p>
                        Write server statistics to the statistics file.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>querylog</code></strong>
                          [<span class="optional">on|off</span>]
                    </span></dt>
<dd>
<p>
                        Enable or disable query logging.  (For backward
                        compatibility, this command can also be used without
                        an argument to toggle query logging on and off.)
                      </p>
<p>
                        Query logging can also be enabled
                        by explicitly directing the <span><strong class="command">queries</strong></span>
                        <span><strong class="command">category</strong></span> to a
                        <span><strong class="command">channel</strong></span> in the
                        <span><strong class="command">logging</strong></span> section of
                        <code class="filename">named.conf</code> or by specifying
                        <span><strong class="command">querylog yes;</strong></span> in the
                        <span><strong class="command">options</strong></span> section of
                        <code class="filename">named.conf</code>.
                      </p>
</dd>
<dt><span class="term"><strong class="userinput"><code>dumpdb
                        [<span class="optional">-all|-cache|-zone</span>]
                        [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
<dd><p>
                        Dump the server's caches (default) and/or zones to
                        the
                        dump file for the specified views.  If no view is
                        specified, all
                        views are dumped.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>secroots
                        [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
<dd><p>
                        Dump the server's security roots to the secroots
                        file for the specified views.  If no view is
                        specified, security roots for all
                        views are dumped.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
<dd><p>
                        Stop the server, making sure any recent changes
                        made through dynamic update or IXFR are first saved to
                        the master files of the updated zones.
                        If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
                        This allows an external process to determine when <span><strong class="command">named</strong></span>
                        had completed stopping.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
<dd><p>
                        Stop the server immediately.  Recent changes
                        made through dynamic update or IXFR are not saved to
                        the master files, but will be rolled forward from the
                        journal files when the server is restarted.
                        If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
                        This allows an external process to determine when <span><strong class="command">named</strong></span>
                        had completed halting.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
<dd><p>
                        Increment the servers debugging level by one.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
<dd><p>
                        Sets the server's debugging level to an explicit
                        value.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
<dd><p>
                        Sets the server's debugging level to 0.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
<dd><p>
                        Flushes the server's cache.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>flushname</code></strong>
                       <em class="replaceable"><code>name</code></em>
                       [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
                       </span></dt>
<dd><p>
                        Flushes the given name from the server's DNS cache,
                        and from the server's nameserver address database
                        if applicable.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong>
                       <em class="replaceable"><code>name</code></em>
                       [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
                       </span></dt>
<dd><p>
                        Flushes the given name, and all of its subdomains,
                        from the server's DNS cache.  (The server's
                        nameserver address database is not affected.)
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
<dd><p>
                        Display status of the server.
                        Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
                        and the default <span><strong class="command">/IN</strong></span>
                        hint zone if there is not an
                        explicit root zone configured.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
<dd><p>
                        Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
                        on.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>validation
                        [<span class="optional">on|off</span>]
                        [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]
                    </code></strong></span></dt>
<dd><p>
                        Enable or disable DNSSEC validation.
                        Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
                        set to <strong class="userinput"><code>yes</code></strong> to be effective.
                        It defaults to enabled.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
<dd><p>
                        List the names of all TSIG keys currently configured
                        for use by <span><strong class="command">named</strong></span> in each view.  The
                        list both statically configured keys and dynamic
                        TKEY-negotiated keys.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong>
                     <em class="replaceable"><code>keyname</code></em>
                     [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
<dd><p>
                        Delete a given TKEY-negotated key from the server.
                        (This does not apply to statically configured TSIG
                        keys.)
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>addzone
                        <em class="replaceable"><code>zone</code></em>
                        [<span class="optional"><em class="replaceable"><code>class</code></em>
                        [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
                        <em class="replaceable"><code>configuration</code></em>
                    </code></strong></span></dt>
<dd>
<p>
                        Add a zone while the server is running.  This
                        command requires the
                        <span><strong class="command">allow-new-zones</strong></span> option to be set
                        to <strong class="userinput"><code>yes</code></strong>.  The
                        <em class="replaceable"><code>configuration</code></em> string
                        specified on the command line is the zone
                        configuration text that would ordinarily be
                        placed in <code class="filename">named.conf</code>.
                      </p>
<p>
                        The configuration is saved in a file called
                       <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
                        where <em class="replaceable"><code>hash</code></em> is a
                        cryptographic hash generated from the name of
                        the view.  When <span><strong class="command">named</strong></span> is
                        restarted, the file will be loaded into the view
                        configuration, so that zones that were added
                        can persist after a restart.
                      </p>
<p>
                        This sample <span><strong class="command">addzone</strong></span> command
                        would add the zone <code class="literal">example.com</code>
                        to the default view:
                      </p>
<p>
<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
                      </p>
<p>
                        (Note the brackets and semi-colon around the zone
                        configuration text.)
                      </p>
</dd>
<dt><span class="term"><strong class="userinput"><code>delzone
                        <em class="replaceable"><code>zone</code></em>
                        [<span class="optional"><em class="replaceable"><code>class</code></em>
                        [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
                    </code></strong></span></dt>
<dd><p>
                        Delete a zone while the server is running.
                        Only zones that were originally added via
                        <span><strong class="command">rndc addzone</strong></span> can be deleted
                        in this matter.
                      </p></dd>
<dt><span class="term"><strong class="userinput"><code>signing
                        [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>]
                        <em class="replaceable"><code>zone</code></em>
                        [<span class="optional"><em class="replaceable"><code>class</code></em>
                        [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
                    </code></strong></span></dt>
<dd>
<p>
                        List, edit, or remove the DNSSEC signing state for
                        the specified zone.  The status of ongoing DNSSEC
                        operations (such as signing or generating
                        NSEC3 chains) is stored in the zone in the form
                        of DNS resource records of type
                        <span><strong class="command">sig-signing-type</strong></span>.
                        <span><strong class="command">rndc signing -list</strong></span> converts
                        these records into a human-readable form,
                        indicating which keys are currently signing
                        or have finished signing the zone, and which NSEC3
                        NSEC3 chains are being created or removed.
                      </p>
<p>
                        <span><strong class="command">rndc signing -clear</strong></span> can remove
                        a single key (specified in the same format that
                        <span><strong class="command">rndc signing -list</strong></span> uses to
                        display it), or all keys.  In either case, only
                        completed keys are removed; any record indicating
                        that a key has not yet finished signing the zone
                        will be retained.
                      </p>
<p>
                        <span><strong class="command">rndc signing -nsec3param</strong></span> sets
                        the NSEC3 parameters for a zone.  This is the
                        only supported mechanism for using NSEC3 with
                        <span><strong class="command">inline-signing</strong></span> zones.
                        Parameters are specified in the same format as
                        an NSEC3PARAM resource record: hash algorithm,
                        flags, iterations, salt.  For example, to set an
                        NSEC3 chain using the SHA-1 hash algorithm,
                        no opt-out flag, 10 iterations, and a salt value
                        of "FFFF", use:
                        <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF</strong></span>.
                        <span><strong class="command">rndc signing -nsec3param none</strong></span>
                        removes an existing NSEC3 chain and replaces it
                        with NSEC.
                      </p>
</dd>
</dl></div>
<p>
                  A configuration file is required, since all
                  communication with the server is authenticated with
                  digital signatures that rely on a shared secret, and
                  there is no way to provide that secret other than with a
                  configuration file.  The default location for the
                  <span><strong class="command">rndc</strong></span> configuration file is
                  <code class="filename">/etc/rndc.conf</code>, but an
                  alternate
                  location can be specified with the <code class="option">-c</code>
                  option.  If the configuration file is not found,
                  <span><strong class="command">rndc</strong></span> will also look in
                  <code class="filename">/etc/rndc.key</code> (or whatever
                  <code class="varname">sysconfdir</code> was defined when
                  the <acronym class="acronym">BIND</acronym> build was
                  configured).
                  The <code class="filename">rndc.key</code> file is
                  generated by
                  running <span><strong class="command">rndc-confgen -a</strong></span> as
                  described in
                  <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
          Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
          Usage&#8221;</a>.
                </p>
<p>
                  The format of the configuration file is similar to
                  that of <code class="filename">named.conf</code>, but
                  limited to
                  only four statements, the <span><strong class="command">options</strong></span>,
                  <span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
                  <span><strong class="command">include</strong></span>
                  statements.  These statements are what associate the
                  secret keys to the servers with which they are meant to
                  be shared.  The order of statements is not
                  significant.
                </p>
<p>
                  The <span><strong class="command">options</strong></span> statement has
                  three clauses:
                  <span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>,
                  and <span><strong class="command">default-port</strong></span>.
                  <span><strong class="command">default-server</strong></span> takes a
                  host name or address argument  and represents the server
                  that will
                  be contacted if no <code class="option">-s</code>
                  option is provided on the command line.
                  <span><strong class="command">default-key</strong></span> takes
                  the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
                  <span><strong class="command">default-port</strong></span> specifies the
                  port to which
                  <span><strong class="command">rndc</strong></span> should connect if no
                  port is given on the command line or in a
                  <span><strong class="command">server</strong></span> statement.
                </p>
<p>
                  The <span><strong class="command">key</strong></span> statement defines a
                  key to be used
                  by <span><strong class="command">rndc</strong></span> when authenticating
                  with
                  <span><strong class="command">named</strong></span>.  Its syntax is
                  identical to the
                  <span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>.
                  The keyword <strong class="userinput"><code>key</code></strong> is
                  followed by a key name, which must be a valid
                  domain name, though it need not actually be hierarchical;
                  thus,
                  a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid
                  name.
                  The <span><strong class="command">key</strong></span> statement has two
                  clauses:
                  <span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
                  While the configuration parser will accept any string as the
                  argument
                  to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
                  has any meaning.  The secret is a base-64 encoded string
                  as specified in RFC 3548.
                </p>
<p>
                  The <span><strong class="command">server</strong></span> statement
                  associates a key
                  defined using the <span><strong class="command">key</strong></span>
                  statement with a server.
                  The keyword <strong class="userinput"><code>server</code></strong> is followed by a
                  host name or address.  The <span><strong class="command">server</strong></span> statement
                  has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
                  The <span><strong class="command">key</strong></span> clause specifies the
                  name of the key
                  to be used when communicating with this server, and the
                  <span><strong class="command">port</strong></span> clause can be used to
                  specify the port <span><strong class="command">rndc</strong></span> should
                  connect
                  to on the server.
                </p>
<p>
                  A sample minimal configuration file is as follows:
                </p>
<pre class="programlisting">
key rndc_key {
     algorithm "hmac-md5";
     secret
       "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
options {
     default-server 127.0.0.1;
     default-key    rndc_key;
};
</pre>
<p>
                  This file, if installed as <code class="filename">/etc/rndc.conf</code>,
                  would allow the command:
                </p>
<p>
                  <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
                </p>
<p>
                  to connect to 127.0.0.1 port 953 and cause the name server
                  to reload, if a name server on the local machine were
                  running with
                  following controls statements:
                </p>
<pre class="programlisting">
controls {
        inet 127.0.0.1
            allow { localhost; } keys { rndc_key; };
};
</pre>
<p>
                  and it had an identical key statement for
                  <code class="literal">rndc_key</code>.
                </p>
<p>
                  Running the <span><strong class="command">rndc-confgen</strong></span>
                  program will
                  conveniently create a <code class="filename">rndc.conf</code>
                  file for you, and also display the
                  corresponding <span><strong class="command">controls</strong></span>
                  statement that you need to
                  add to <code class="filename">named.conf</code>.
                  Alternatively,
                  you can run <span><strong class="command">rndc-confgen -a</strong></span>
                  to set up
                  a <code class="filename">rndc.key</code> file and not
                  modify
                  <code class="filename">named.conf</code> at all.
                </p>
</dd>
</dl></div>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2570659"></a>Signals</h3></div></div></div>
<p>
          Certain UNIX signals cause the name server to take specific
          actions, as described in the following table.  These signals can
          be sent using the <span><strong class="command">kill</strong></span> command.
        </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                  <p><span><strong class="command">SIGHUP</strong></span></p>
                </td>
<td>
                  <p>
                    Causes the server to read <code class="filename">named.conf</code> and
                    reload the database.
                  </p>
                </td>
</tr>
<tr>
<td>
                  <p><span><strong class="command">SIGTERM</strong></span></p>
                </td>
<td>
                  <p>
                    Causes the server to clean up and exit.
                  </p>
                </td>
</tr>
<tr>
<td>
                  <p><span><strong class="command">SIGINT</strong></span></p>
                </td>
<td>
                  <p>
                    Causes the server to clean up and exit.
                  </p>
                </td>
</tr>
</tbody>
</table></div>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a>�</td>
<td width="20%" align="center">�</td>
<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">Chapter�2.�<acronym class="acronym">BIND</acronym> Resource Requirements�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�Chapter�4.�Advanced DNS Features</td>
</tr>
</table>
</div>
</body>
</html>