10139N/A - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 10139N/A - Copyright (C) 2000-2003 Internet Software Consortium. 10139N/A - Permission to use, copy, modify, and/or distribute this software for any 10139N/A - purpose with or without fee is hereby granted, provided that the above 10139N/A - copyright notice and this permission notice appear in all copies. 10139N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 17180N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 18603N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 17180N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 12285N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 10139N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 19948N/A - PERFORMANCE OF THIS SOFTWARE. 10139N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
18615N/A<
title>Chapter�3.�Name Server Configuration</
title>
10139N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
10139N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
10139N/A<
table width="100%" summary="Navigation header">
10139N/A<
tr><
th colspan="3" align="center">Chapter�3.�Name Server Configuration</
th></
tr>
10139N/A<
th width="60%" align="center">�</
th>
10139N/A<
div class="titlepage"><
div><
div><
h1 class="title">
11970N/A<
dt><
span class="section"><
a href="Bv9ARM.ch03.html#id-1.4.3.3">An Authoritative-only Name Server</
a></
span></
dt>
10139N/A<
dt><
span class="section"><
a href="Bv9ARM.ch03.html#id-1.4.5.2">Tools for Use With the Name Server Daemon</
a></
span></
dt>
10139N/A In this chapter we provide some suggested configurations along
10139N/A with guidelines for their use. We suggest reasonable values for
10139N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
10139N/A<
a name="sample_configuration"></
a>Sample Configurations</
h2></
div></
div></
div>
10139N/A<
div class="titlepage"><
div><
div><
h3 class="title">
10139N/A<
a name="id-1.4.3.2"></
a>A Caching-only Name Server</
h3></
div></
div></
div>
10139N/A The following sample configuration is appropriate for a caching-only
10139N/A name server for use by clients internal to a corporation. All
10139N/A from outside clients are refused using the <
span class="command"><
strong>allow-query</
strong></
span>
10139N/A option. Alternatively, the same effect could be achieved using
10139N/A// Two corporate subnets we wish to allow queries from.
10139N/A// Provide a reverse mapping for the loopback
10139N/A<
div class="titlepage"><
div><
div><
h3 class="title">
10139N/A<
a name="id-1.4.3.3"></
a>An Authoritative-only Name Server</
h3></
div></
div></
div>
10139N/A This sample configuration is for an authoritative-only server
12285N/A // Do not allow access to cache
10139N/A // Do not provide recursive service
10139N/A// Provide a reverse mapping for the loopback
10139N/A // IP addresses of slave servers allowed to
12773N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
12773N/A<
a name="id-1.4.4"></
a>Load Balancing</
h2></
div></
div></
div>
10139N/A A primitive form of load balancing can be achieved in
10139N/A the <
acronym class="acronym">DNS</
acronym> by using multiple records
10139N/A (such as multiple A records) for one name.
10139N/A For example, if you have three WWW servers with network addresses
20848N/A of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
20848N/A following means that clients will connect to each machine one third
11897N/A<
div class="informaltable"><
table border="1">
10139N/A <
code class="literal">www</
code>
10139N/A <
code class="literal">600</
code>
10139N/A <
code class="literal">IN</
code>
17496N/A <
code class="literal">10.0.0.1</
code>
13821N/A <
code class="literal">600</
code>
12285N/A <
code class="literal">IN</
code>
11970N/A <
code class="literal">10.0.0.2</
code>
11107N/A <
code class="literal">600</
code>
10629N/A <
code class="literal">IN</
code>
10139N/A <
code class="literal">10.0.0.3</
code>
10139N/A When a resolver queries for these records, <
acronym class="acronym">BIND</
acronym> will rotate
10139N/A them and respond to the query with the records in a different
10139N/A order. In the example above, clients will randomly receive
10139N/A records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
10139N/A will use the first record returned and discard the rest.
10139N/A For more detail on ordering responses, check the
10139N/A <
span class="command"><
strong>rrset-order</
strong></
span> sub-statement in the
10139N/A <
span class="command"><
strong>options</
strong></
span> statement, see
10139N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
10139N/A<
a name="id-1.4.5"></
a>Name Server Operations</
h2></
div></
div></
div>
10139N/A<
div class="titlepage"><
div><
div><
h3 class="title">
10139N/A<
a name="id-1.4.5.2"></
a>Tools for Use With the Name Server Daemon</
h3></
div></
div></
div>
10139N/A This section describes several indispensable diagnostic,
10139N/A administrative and monitoring tools available to the system
10139N/A administrator for controlling and debugging the name server
10139N/A<
div class="titlepage"><
div><
div><
h4 class="title">
10139N/A<
a name="diagnostic_tools"></
a>Diagnostic Tools</
h4></
div></
div></
div>
10139N/A The <
span class="command"><
strong>dig</
strong></
span>, <
span class="command"><
strong>host</
strong></
span>, and
10139N/A <
span class="command"><
strong>nslookup</
strong></
span> programs are all command
10139N/A for manually querying name servers. They differ in style and
10139N/A<
div class="variablelist"><
dl class="variablelist">
10139N/A<
dt><
span class="term"><
a name="dig"></
a><
span class="command"><
strong>dig</
strong></
span></
span></
dt>
10139N/A The domain information groper (<
span class="command"><
strong>dig</
strong></
span>)
10139N/A is the most versatile and complete of these lookup tools.
10139N/A It has two modes: simple interactive
10139N/A mode for a single query, and batch mode which executes a
10139N/A each in a list of several query lines. All query options are
10139N/A<
div class="cmdsynopsis"><
p><
code class="command">dig</
code> [@<
em class="replaceable"><
code>server</
code></
em>] <
em class="replaceable"><
code>domain</
code></
em> [<
em class="replaceable"><
code>query-type</
code></
em>] [<
em class="replaceable"><
code>query-class</
code></
em>] [+<
em class="replaceable"><
code>query-option</
code></
em>] [-<
em class="replaceable"><
code>dig-option</
code></
em>] [%<
em class="replaceable"><
code>comment</
code></
em>]</
p></
div>
10139N/A The usual simple use of <
span class="command"><
strong>dig</
strong></
span> will take the form
10139N/A <
span class="command"><
strong>dig @server domain query-type query-class</
strong></
span>
10139N/A For more information and a list of available commands and
10139N/A options, see the <
span class="command"><
strong>dig</
strong></
span> man
10139N/A<
dt><
span class="term"><
span class="command"><
strong>host</
strong></
span></
span></
dt>
10139N/A The <
span class="command"><
strong>host</
strong></
span> utility emphasizes
10139N/A and ease of use. By default, it converts
10139N/A between host names and Internet addresses, but its
10139N/A can be extended with the use of options.
10139N/A<
div class="cmdsynopsis"><
p><
code class="command">host</
code> [-aCdlnrsTwv] [-c <
em class="replaceable"><
code>class</
code></
em>] [-N <
em class="replaceable"><
code>ndots</
code></
em>] [-t <
em class="replaceable"><
code>type</
code></
em>] [-W <
em class="replaceable"><
code>timeout</
code></
em>] [-R <
em class="replaceable"><
code>retries</
code></
em>] [-m <
em class="replaceable"><
code>flag</
code></
em>] [-4] [-6] <
em class="replaceable"><
code>hostname</
code></
em> [<
em class="replaceable"><
code>server</
code></
em>]</
p></
div>
10139N/A For more information and a list of available commands and
10139N/A options, see the <
span class="command"><
strong>host</
strong></
span> man
10139N/A<
dt><
span class="term"><
span class="command"><
strong>nslookup</
strong></
span></
span></
dt>
10139N/A<
p><
span class="command"><
strong>nslookup</
strong></
span>
10139N/A non-interactive. Interactive mode allows the user to
10139N/A query name servers for information about various
10139N/A hosts and domains or to print a list of hosts in a
10139N/A domain. Non-interactive mode is used to print just
10139N/A the name and requested information for a host or
10139N/A<
div class="cmdsynopsis"><
p><
code class="command">nslookup</
code> [-option...] [[<
em class="replaceable"><
code>host-to-find</
code></
em>] | [- [server]]]</
p></
div>
10139N/A Interactive mode is entered when no arguments are given (the
10139N/A default name server will be used) or when the first argument
10139N/A hyphen (`-') and the second argument is the host name or
10139N/A Non-interactive mode is used when the name or Internet
10139N/A of the host to be looked up is given as the first argument.
10139N/A optional second argument specifies the host name or address
10139N/A Due to its arcane user interface and frequently inconsistent
10139N/A behavior, we do not recommend the use of <
span class="command"><
strong>nslookup</
strong></
span>.
10139N/A Use <
span class="command"><
strong>dig</
strong></
span> instead.
10139N/A<
div class="titlepage"><
div><
div><
h4 class="title">
10139N/A<
a name="admin_tools"></
a>Administrative Tools</
h4></
div></
div></
div>
10139N/A Administrative tools play an integral part in the management
10139N/A<
div class="variablelist"><
dl class="variablelist">
10139N/A<
a name="named-checkconf"></
a><
span class="term"><
span class="command"><
strong>named-checkconf</
strong></
span></
span>
10139N/A The <
span class="command"><
strong>named-checkconf</
strong></
span> program
10139N/A<
div class="cmdsynopsis"><
p><
code class="command">named-checkconf</
code> [-jvz] [-t <
em class="replaceable"><
code>directory</
code></
em>] [<
em class="replaceable"><
code>filename</
code></
em>]</
p></
div>
10139N/A<
a name="named-checkzone"></
a><
span class="term"><
span class="command"><
strong>named-checkzone</
strong></
span></
span>
10139N/A The <
span class="command"><
strong>named-checkzone</
strong></
span> program
10139N/A<
div class="cmdsynopsis"><
p><
code class="command">named-checkzone</
code> [-djqvD] [-c <
em class="replaceable"><
code>class</
code></
em>] [-o <
em class="replaceable"><
code>output</
code></
em>] [-t <
em class="replaceable"><
code>directory</
code></
em>] [-w <
em class="replaceable"><
code>directory</
code></
em>] [-k <
em class="replaceable"><
code>(ignore|warn|fail)</
code></
em>] [-n <
em class="replaceable"><
code>(ignore|warn|fail)</
code></
em>] [-W <
em class="replaceable"><
code>(ignore|warn)</
code></
em>] <
em class="replaceable"><
code>zone</
code></
em> [<
em class="replaceable"><
code>filename</
code></
em>]</
p></
div>
10139N/A<
a name="named-compilezone"></
a><
span class="term"><
span class="command"><
strong>named-compilezone</
strong></
span></
span>
10139N/A Similar to <
span class="command"><
strong>named-checkzone,</
strong></
span> but
10139N/A it always dumps the zone content to a specified file
10139N/A (typically in a different format).
10139N/A<
a name="rndc"></
a><
span class="term"><
span class="command"><
strong>rndc</
strong></
span></
span>
10139N/A (<
span class="command"><
strong>rndc</
strong></
span>) program allows the
10139N/A administrator to control the operation of a name server.
10139N/A Since <
acronym class="acronym">BIND</
acronym> 9.2, <
span class="command"><
strong>rndc</
strong></
span>
10139N/A supports all the commands of the BIND 8 <
span class="command"><
strong>ndc</
strong></
span>
10139N/A utility except <
span class="command"><
strong>ndc start</
strong></
span> and
10139N/A <
span class="command"><
strong>ndc restart</
strong></
span>, which were also
10139N/A not supported in <
span class="command"><
strong>ndc</
strong></
span>'s
10139N/A If you run <
span class="command"><
strong>rndc</
strong></
span> without any
10139N/A it will display a usage message as follows:
10139N/A<
div class="cmdsynopsis"><
p><
code class="command">rndc</
code> [-c <
em class="replaceable"><
code>config</
code></
em>] [-s <
em class="replaceable"><
code>server</
code></
em>] [-p <
em class="replaceable"><
code>port</
code></
em>] [-y <
em class="replaceable"><
code>key</
code></
em>] <
em class="replaceable"><
code>command</
code></
em> [<
em class="replaceable"><
code>command</
code></
em>...]</
p></
div>
10139N/A<
p>See <
a class="xref" href="man.rndc.html" title="rndc"><
span class="refentrytitle"><
span class="application">rndc</
span></
span>(8)</
a> for details of
10139N/A the available <
span class="command"><
strong>rndc</
strong></
span> commands.
10139N/A <
span class="command"><
strong>rndc</
strong></
span> requires a configuration file,
10139N/A communication with the server is authenticated with
10139N/A digital signatures that rely on a shared secret, and
10139N/A there is no way to provide that secret other than with a
10139N/A configuration file. The default location for the
10139N/A <
span class="command"><
strong>rndc</
strong></
span> configuration file is
10139N/A location can be specified with the <
code class="option">-c</
code>
10139N/A option. If the configuration file is not found,
10139N/A <
span class="command"><
strong>rndc</
strong></
span> will also look in
10139N/A <
code class="varname">sysconfdir</
code> was defined when
10139N/A the <
acronym class="acronym">BIND</
acronym> build was
10139N/A running <
span class="command"><
strong>rndc-confgen -a</
strong></
span> as
10139N/A <
a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<
span class="command"><
strong>controls</
strong></
span> Statement Definition and
10139N/A The format of the configuration file is similar to
10139N/A only four statements, the <
span class="command"><
strong>options</
strong></
span>,
10139N/A <
span class="command"><
strong>key</
strong></
span>, <
span class="command"><
strong>server</
strong></
span> and
10139N/A <
span class="command"><
strong>include</
strong></
span>
10139N/A statements. These statements are what associate the
10139N/A secret keys to the servers with which they are meant to
10139N/A be shared. The order of statements is not
10139N/A The <
span class="command"><
strong>options</
strong></
span> statement has
10139N/A <
span class="command"><
strong>default-server</
strong></
span>, <
span class="command"><
strong>default-key</
strong></
span>,
10139N/A and <
span class="command"><
strong>default-port</
strong></
span>.
10139N/A <
span class="command"><
strong>default-server</
strong></
span> takes a
10139N/A host name or address argument and represents the server
10139N/A be contacted if no <
code class="option">-s</
code>
10139N/A option is provided on the command line.
10139N/A <
span class="command"><
strong>default-key</
strong></
span> takes
10139N/A the name of a key as its argument, as defined by a <
span class="command"><
strong>key</
strong></
span> statement.
10139N/A <
span class="command"><
strong>default-port</
strong></
span> specifies the
10139N/A <
span class="command"><
strong>rndc</
strong></
span> should connect if no
10139N/A port is given on the command line or in a
10139N/A <
span class="command"><
strong>server</
strong></
span> statement.
10139N/A The <
span class="command"><
strong>key</
strong></
span> statement defines a
10139N/A by <
span class="command"><
strong>rndc</
strong></
span> when authenticating
10139N/A <
span class="command"><
strong>named</
strong></
span>. Its syntax is
10139N/A <
span class="command"><
strong>key</
strong></
span> statement in <
code class="filename">
named.conf</
code>.
10139N/A The keyword <
strong class="userinput"><
code>key</
code></
strong> is
10139N/A followed by a key name, which must be a valid
10139N/A domain name, though it need not actually be hierarchical;
10139N/A a string like "<
strong class="userinput"><
code>rndc_key</
code></
strong>" is a valid
10139N/A The <
span class="command"><
strong>key</
strong></
span> statement has two
10139N/A <
span class="command"><
strong>algorithm</
strong></
span> and <
span class="command"><
strong>secret</
strong></
span>.
10139N/A While the configuration parser will accept any string as the
10139N/A to algorithm, currently only the strings
10139N/A "<
strong class="userinput"><
code>hmac-md5</
code></
strong>",
10139N/A "<
strong class="userinput"><
code>hmac-sha1</
code></
strong>",
10139N/A "<
strong class="userinput"><
code>hmac-sha224</
code></
strong>",
10139N/A "<
strong class="userinput"><
code>hmac-sha256</
code></
strong>",
10139N/A "<
strong class="userinput"><
code>hmac-sha384</
code></
strong>"
10139N/A and "<
strong class="userinput"><
code>hmac-sha512</
code></
strong>"
10139N/A have any meaning. The secret is a base-64 encoded string
10139N/A The <
span class="command"><
strong>server</
strong></
span> statement
10139N/A defined using the <
span class="command"><
strong>key</
strong></
span>
10139N/A The keyword <
strong class="userinput"><
code>server</
code></
strong> is followed by a
10139N/A host name or address. The <
span class="command"><
strong>server</
strong></
span> statement
10139N/A has two clauses: <
span class="command"><
strong>key</
strong></
span> and <
span class="command"><
strong>port</
strong></
span>.
10139N/A The <
span class="command"><
strong>key</
strong></
span> clause specifies the
10139N/A to be used when communicating with this server, and the
10139N/A <
span class="command"><
strong>port</
strong></
span> clause can be used to
10139N/A specify the port <
span class="command"><
strong>rndc</
strong></
span> should
10139N/A A sample minimal configuration file is as follows:
10139N/A "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
10139N/A <
code class="prompt">$ </
code><
strong class="userinput"><
code>rndc reload</
code></
strong>
10139N/A to connect to 127.0.0.1 port 953 and cause the name server
10139N/A to reload, if a name server on the local machine were
10139N/A allow { localhost; } keys { rndc_key; };
10139N/A and it had an identical key statement for
10139N/A <
code class="literal">rndc_key</
code>.
10139N/A Running the <
span class="command"><
strong>rndc-confgen</
strong></
span>
10139N/A file for you, and also display the
10139N/A corresponding <
span class="command"><
strong>controls</
strong></
span>
10139N/A you can run <
span class="command"><
strong>rndc-confgen -a</
strong></
span>
10139N/A<
div class="titlepage"><
div><
div><
h3 class="title">
10139N/A<
a name="id-1.4.5.3"></
a>Signals</
h3></
div></
div></
div>
10139N/A Certain UNIX signals cause the name server to take specific
10139N/A actions, as described in the following table. These signals can
10139N/A be sent using the <
span class="command"><
strong>kill</
strong></
span> command.
10139N/A<
div class="informaltable"><
table border="1">
10139N/A <
p><
span class="command"><
strong>SIGHUP</
strong></
span></
p>
10139N/A <
p><
span class="command"><
strong>SIGTERM</
strong></
span></
p>
10139N/A Causes the server to clean up and exit.
10139N/A <
p><
span class="command"><
strong>SIGINT</
strong></
span></
p>
10139N/A Causes the server to clean up and exit.
10139N/A<
table width="100%" summary="Navigation footer">
10139N/A<
td width="20%" align="center">�</
td>
10139N/A<
td width="40%" align="left" valign="top">Chapter�2.�<
acronym class="acronym">BIND</
acronym> Resource Requirements�</
td>
10139N/A<
td width="40%" align="right" valign="top">�Chapter�4.�Advanced DNS Features</
td>