Bv9ARM.ch03.html revision f0aad5341752aefe5059832f6cf3abc3283c6e16
2e37d45867d081db150ab78dad303b9077aea24fTimo Sirainen<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
c977374bd4651cafc1626ebe308aa66dfd8b30e0Timo Sirainen - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
c977374bd4651cafc1626ebe308aa66dfd8b30e0Timo Sirainen - This Source Code Form is subject to the terms of the Mozilla Public
c977374bd4651cafc1626ebe308aa66dfd8b30e0Timo Sirainen - License, v. 2.0. If a copy of the MPL was not distributed with this
65b94e73c305dcb209cf958f938b93ec061c67a9Timo Sirainen - file, You can obtain one at http://mozilla.org/MPL/2.0/.
65b94e73c305dcb209cf958f938b93ec061c67a9Timo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c977374bd4651cafc1626ebe308aa66dfd8b30e0Timo Sirainen<title>Chapter�3.�Name Server Configuration</title>
c977374bd4651cafc1626ebe308aa66dfd8b30e0Timo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
c977374bd4651cafc1626ebe308aa66dfd8b30e0Timo Sirainen<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter�2.�BIND Resource Requirements">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<link rel="next" href="Bv9ARM.ch04.html" title="Chapter�4.�Advanced DNS Features">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<table width="100%" summary="Navigation header">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<tr><th colspan="3" align="center">Chapter�3.�Name Server Configuration</th></tr>
9955f6cba7652469b1d600a3674e8d27dd4e61bdTimo Sirainen<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a>�</td>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<div class="titlepage"><div><div><h1 class="title">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<a name="Bv9ARM.ch03"></a>Chapter�3.�Name Server Configuration</h1></div></div></div>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<dt><span class="section"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<dt><span class="section"><a href="Bv9ARM.ch03.html#cache_only_sample">A Caching-only Name Server</a></span></dt>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<dt><span class="section"><a href="Bv9ARM.ch03.html#auth_only_sample">An Authoritative-only Name Server</a></span></dt>
de62ce819d59a529530da4b57be1b8d6dad13d6bTimo Sirainen<dt><span class="section"><a href="Bv9ARM.ch03.html#load_balancing">Load Balancing</a></span></dt>
5b62dea2f88165f3f4d87bba9011343f3ff415ffTimo Sirainen<dt><span class="section"><a href="Bv9ARM.ch03.html#ns_operations">Name Server Operations</a></span></dt>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<dt><span class="section"><a href="Bv9ARM.ch03.html#tools">Tools for Use With the Name Server Daemon</a></span></dt>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<dt><span class="section"><a href="Bv9ARM.ch03.html#signals">Signals</a></span></dt>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen In this chapter we provide some suggested configurations along
8f4d8c489a992a5f0dca8a263968544c1c669779Timo Sirainen with guidelines for their use. We suggest reasonable values for
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen certain option settings.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<div class="titlepage"><div><div><h3 class="title">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<a name="cache_only_sample"></a>A Caching-only Name Server</h3></div></div></div>
73a87c2ff65c6116cde6fb158dfddb8ef7346901Timo Sirainen The following sample configuration is appropriate for a caching-only
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen name server for use by clients internal to a corporation. All
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen from outside clients are refused using the <span class="command"><strong>allow-query</strong></span>
73a87c2ff65c6116cde6fb158dfddb8ef7346901Timo Sirainen option. Alternatively, the same effect could be achieved using
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen firewall rules.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen// Two corporate subnets we wish to allow queries from.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainenacl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen // Working directory
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen allow-query { corpnets; };
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen// Provide a reverse mapping for the loopback
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen// address 127.0.0.1
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<div class="titlepage"><div><div><h3 class="title">
637455ebee0453f860c9bce0626c485e35fb83deTimo Sirainen<a name="auth_only_sample"></a>An Authoritative-only Name Server</h3></div></div></div>
637455ebee0453f860c9bce0626c485e35fb83deTimo Sirainen This sample configuration is for an authoritative-only server
637455ebee0453f860c9bce0626c485e35fb83deTimo Sirainen that is the master server for "<code class="filename">example.com</code>"
d22301419109ed4a38351715e6760011421dadecTimo Sirainen and a slave for the subdomain "<code class="filename">eng.example.com</code>".
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen // Working directory
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen // Do not allow access to cache
637455ebee0453f860c9bce0626c485e35fb83deTimo Sirainen allow-query-cache { none; };
637455ebee0453f860c9bce0626c485e35fb83deTimo Sirainen // This is the default
637455ebee0453f860c9bce0626c485e35fb83deTimo Sirainen allow-query { any; };
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen // Do not provide recursive service
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen recursion no;
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen// Provide a reverse mapping for the loopback
637455ebee0453f860c9bce0626c485e35fb83deTimo Sirainen// address 127.0.0.1
637455ebee0453f860c9bce0626c485e35fb83deTimo Sirainen// We are the master server for example.com
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen // IP addresses of slave servers allowed to
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen allow-transfer {
637455ebee0453f860c9bce0626c485e35fb83deTimo Sirainen 192.168.4.14;
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen 192.168.5.53;
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen// We are a slave server for eng.example.com
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen // IP address of eng.example.com master server
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen masters { 192.168.4.12; };
e790c9b1fc56bca7ebd59dc289cb5035e3afcee5Timo Sirainen<div class="titlepage"><div><div><h2 class="title" style="clear: both">
e790c9b1fc56bca7ebd59dc289cb5035e3afcee5Timo Sirainen<a name="load_balancing"></a>Load Balancing</h2></div></div></div>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen A primitive form of load balancing can be achieved in
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen the <acronym class="acronym">DNS</acronym> by using multiple records
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen (such as multiple A records) for one name.
d22301419109ed4a38351715e6760011421dadecTimo Sirainen For example, if you have three WWW servers with network addresses
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen following means that clients will connect to each machine one third
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen Resource Record (RR) Data
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
ddb018bc886680f462463b2c87f983fdedbf6cf0Timo Sirainen them and respond to the query with the records in a different
ca98892a6b8a30ffc1fe26fcf02c7d59e3204e7eTimo Sirainen order. In the example above, clients will randomly receive
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen will use the first record returned and discard the rest.
08a8b3de61139ba02371afc8240ac85be0e8b17cTimo Sirainen For more detail on ordering responses, check the
08a8b3de61139ba02371afc8240ac85be0e8b17cTimo Sirainen <span class="command"><strong>rrset-order</strong></span> sub-statement in the
08a8b3de61139ba02371afc8240ac85be0e8b17cTimo Sirainen <span class="command"><strong>options</strong></span> statement, see
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">RRset Ordering</a>.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<a name="ns_operations"></a>Name Server Operations</h2></div></div></div>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<div class="titlepage"><div><div><h3 class="title">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<a name="tools"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen This section describes several indispensable diagnostic,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen administrative and monitoring tools available to the system
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen administrator for controlling and debugging the name server
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<div class="titlepage"><div><div><h4 class="title">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen The <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span>, and
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen <span class="command"><strong>nslookup</strong></span> programs are all command
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen for manually querying name servers. They differ in style and
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen output format.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<div class="variablelist"><dl class="variablelist">
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<dt><span class="term"><a name="dig"></a><span class="command"><strong>dig</strong></span></span></dt>
08a8b3de61139ba02371afc8240ac85be0e8b17cTimo Sirainen The domain information groper (<span class="command"><strong>dig</strong></span>)
08a8b3de61139ba02371afc8240ac85be0e8b17cTimo Sirainen is the most versatile and complete of these lookup tools.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen It has two modes: simple interactive
08a8b3de61139ba02371afc8240ac85be0e8b17cTimo Sirainen mode for a single query, and batch mode which executes a
08a8b3de61139ba02371afc8240ac85be0e8b17cTimo Sirainen each in a list of several query lines. All query options are
4fded1eec06aba9ce37887ac30619768760cd0d0Timo Sirainen from the command line.
08a8b3de61139ba02371afc8240ac85be0e8b17cTimo Sirainen<div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
08a8b3de61139ba02371afc8240ac85be0e8b17cTimo Sirainen The usual simple use of <span class="command"><strong>dig</strong></span> will take the form
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen <span class="command"><strong>dig @server domain query-type query-class</strong></span>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen For more information and a list of available commands and
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen options, see the <span class="command"><strong>dig</strong></span> man
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<dt><span class="term"><span class="command"><strong>host</strong></span></span></dt>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen The <span class="command"><strong>host</strong></span> utility emphasizes
d0b2bd9e2246eb68ed952c7f2e13d1969d657c8fTimo Sirainen and ease of use. By default, it converts
d22301419109ed4a38351715e6760011421dadecTimo Sirainen between host names and Internet addresses, but its
5b62dea2f88165f3f4d87bba9011343f3ff415ffTimo Sirainen functionality
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen can be extended with the use of options.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen For more information and a list of available commands and
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen options, see the <span class="command"><strong>host</strong></span> man
<div class="cmdsynopsis"><p><code class="command">nslookup</code> [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] | [- [server]]]</p></div>
<a name="named-checkconf"></a><span class="term"><span class="command"><strong>named-checkconf</strong></span></span>
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
<a name="named-checkzone"></a><span class="term"><span class="command"><strong>named-checkzone</strong></span></span>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div>
<a name="named-compilezone"></a><span class="term"><span class="command"><strong>named-compilezone</strong></span></span>
Since <acronym class="acronym">BIND</acronym> 9.2, <span class="command"><strong>rndc</strong></span>
<div class="cmdsynopsis"><p><code class="command">rndc</code> [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>] <em class="replaceable"><code>command</code></em> [<em class="replaceable"><code>command</code></em>...]</p></div>
<p>See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of
<a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span class="command"><strong>controls</strong></span> Statement Definition and
<span class="command"><strong>key</strong></span>, <span class="command"><strong>server</strong></span> and
<span class="command"><strong>default-server</strong></span>, <span class="command"><strong>default-key</strong></span>,
the name of a key as its argument, as defined by a <span class="command"><strong>key</strong></span> statement.
<span class="command"><strong>key</strong></span> statement in <code class="filename">named.conf</code>.
<span class="command"><strong>algorithm</strong></span> and <span class="command"><strong>secret</strong></span>.
has two clauses: <span class="command"><strong>key</strong></span> and <span class="command"><strong>port</strong></span>.