Bv9ARM.ch04.html revision a1b05dea35aa30b152a47115e18bbe679d3fcf19
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
32098293b78922a5fbd10906afa28624820d3756Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<!-- $Id: Bv9ARM.ch04.html,v 1.76 2007/05/16 06:12:01 marka Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<div class="titlepage"><div><div><h2 class="title">
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570658">Split DNS</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570676">Example split DNS setup</a></span></dt></dl></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571111">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
0b89eee6167201843c9a46b7e7c63cb1e4e09ba3Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571185">Copying the Shared Secret to Both Machines</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571264">Informing the Servers of the Key's Existence</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571303">Instructing the Server to Use the Key</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571429">TSIG Key Based Access Control</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571474">Errors</a></span></dt>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571488">TKEY</a></span></dt>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571673">SIG(0)</a></span></dt>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571741">Generating Keys</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571811">Signing the Zone</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571890">Configuring Servers</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572033">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572163">Address Lookups Using AAAA Records</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572184">Address to Name Lookups Using Nibble Format</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="notify"></a>Notify</h2></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt servers to notify their slave servers of changes to a zone's data. In
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User slave will check to see that its version of the zone is the
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User current version and, if not, initiate a zone transfer.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User For more information about <acronym class="acronym">DNS</acronym>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User <span><strong class="command">NOTIFY</strong></span>, see the description of the
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User the description of the zone option <span><strong class="command">also-notify</strong></span> in
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User protocol is specified in RFC 1996.
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User As a slave zone can also be a master to other slaves, named,
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User zones that it loads.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User Dynamic Update is a method for adding, replacing or deleting
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User records in a master server by sending it a special form of DNS
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User messages. The format and meaning of these messages is specified
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User Dynamic update is enabled by including an
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <span><strong class="command">allow-update</strong></span> or <span><strong class="command">update-policy</strong></span>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User clause in the <span><strong class="command">zone</strong></span> statement. The
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <span><strong class="command">tkey-gssapi-credential</strong></span> and
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span><strong class="command">tkey-domain</strong></span> clauses in the
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <span><strong class="command">options</strong></span> statement enable the
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User server to negotiate keys that can be matched against those
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User in <span><strong class="command">update-policy</strong></span> or
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <span><strong class="command">allow-update</strong></span>.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Updating of secure zones (zones using DNSSEC) follows
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User RFC 3007: RRSIG and NSEC records affected by updates are automatically
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User regenerated by the server using an online zone key.
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User Update authorization is based
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User on transaction signatures and an explicit server policy.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h3 class="title">
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User<a name="journal"></a>The journal file</h3></div></div></div>
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User All changes made to a zone using dynamic update are stored
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User in the zone's journal file. This file is automatically created
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User by the server when the first dynamic update takes place.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The name of the journal file is formed by appending the extension
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="filename">.jnl</code> to the name of the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User corresponding zone
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User file unless specifically overridden. The journal file is in a
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User binary format and should not be edited manually.
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User The server will also occasionally write ("dump")
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User the complete contents of the updated zone to its zone file.
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User This is not done immediately after
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User each dynamic update, because that would be too slow when a large
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User zone is updated frequently. Instead, the dump is delayed by
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User up to 15 minutes, allowing additional updates to take place.
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User When a server is restarted after a shutdown or crash, it will replay
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User the journal file to incorporate into the zone any updates that
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User place after the last zone dump.
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User Changes that result from incoming incremental zone transfers are
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User journalled in a similar way.
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User The zone files of dynamic zones cannot normally be edited by
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User hand because they are not guaranteed to contain the most recent
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User dynamic changes — those are only in the journal file.
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User The only way to ensure that the zone file of a dynamic zone
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User is up to date is to run <span><strong class="command">rndc stop</strong></span>.
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User If you have to make changes to a dynamic zone
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User manually, the following procedure will work: Disable dynamic updates
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User to the zone using
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User This will also remove the zone's <code class="filename">.jnl</code> file
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User and update the master file. Edit the zone file. Run
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User to reload the changed zone and re-enable dynamic updates.
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User The incremental zone transfer (IXFR) protocol is a way for
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User slave servers to transfer only changed data, instead of having to
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User transfer the entire zone. The IXFR protocol is specified in RFC
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User When acting as a master, <acronym class="acronym">BIND</acronym> 9
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User supports IXFR for those zones
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User where the necessary change history information is available. These
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User include master zones maintained by dynamic update and slave zones
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User whose data was obtained by IXFR. For manually maintained master
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User zones, and for slave zones obtained by performing a full zone
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User transfer (AXFR), IXFR is supported only if the option
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User <span><strong class="command">ixfr-from-differences</strong></span> is set
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User to <strong class="userinput"><code>yes</code></strong>.
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User attempt to use IXFR unless
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User it is explicitly disabled. For more information about disabling
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User of the <span><strong class="command">server</strong></span> statement.
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User<a name="id2570658"></a>Split DNS</h2></div></div></div>
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User Setting up different views, or visibility, of the DNS space to
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User internal and external resolvers is usually referred to as a
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User <span class="emphasis"><em>Split DNS</em></span> setup. There are several
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User reasons an organization would want to set up its DNS this way.
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User One common reason for setting up a DNS system this way is
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User to hide "internal" DNS information from "external" clients on the
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User Internet. There is some debate as to whether or not this is actually
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User Internal DNS information leaks out in many ways (via email headers,
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User for example) and most savvy "attackers" can find the information
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User they need using other means.
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User However, since listing addresses of internal servers that
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User external clients cannot possibly reach can result in
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User connection delays and other annoyances, an organization may
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User choose to use a Split DNS to present a consistent view of itself
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User to the outside world.
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User Another common reason for setting up a Split DNS system is
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User to allow internal networks that are behind filters or in RFC 1918
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User space (reserved IP space, as documented in RFC 1918) to resolve DNS
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User on the Internet. Split DNS can also be used to allow mail from outside
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User back in to the internal network.
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User<div class="titlepage"><div><div><h3 class="title">
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User<a name="id2570676"></a>Example split DNS setup</h3></div></div></div>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User has several corporate sites that have an internal network with
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User Internet Protocol (IP) space and an external demilitarized zone (DMZ),
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User or "outside" section of a network, that is available to the public.
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User to be able to resolve external hostnames and to exchange mail with
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User people on the outside. The company also wants its internal resolvers
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User to have access to certain internal-only zones that are not available
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User at all outside of the internal network.
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User In order to accomplish this, the company will set up two sets
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User of name servers. One set will be on the inside network (in the
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User IP space) and the other set will be on bastion hosts, which are
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User hosts that can talk to both sides of its network, in the DMZ.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The internal servers will be configured to forward all queries,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and <code class="filename">site2.example.com</code>, to the servers
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User DMZ. These internal servers will have complete sets of information
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em></em></span> <code class="filename">site1.internal</code>,
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User and <code class="filename">site2.internal</code>.
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User the internal name servers must be configured to disallow all queries
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User to these domains from any external hosts, including the bastion
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User The external servers, which are on the bastion hosts, will
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User This could include things such as the host records for public servers
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User should have special MX records that contain wildcard (`*') records
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User pointing to the bastion hosts. This is needed because external mail
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User servers do not have any other way of looking up how to deliver mail
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User to those internal hosts. With the wildcard records, the mail will
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User be delivered to the bastion host, which can then forward it on to
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User internal hosts.
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User Here's an example of a wildcard MX record:
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User Now that they accept mail on behalf of anything in the internal
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User network, the bastion hosts will need to know how to deliver mail
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User to internal hosts. In order for this to work properly, the resolvers
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User the bastion hosts will need to be configured to point to the internal
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User name servers for DNS resolution.
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User Queries for internal hostnames will be answered by the internal
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User servers, and queries for external hostnames will be forwarded back
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User out to the DNS servers on the bastion hosts.
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User In order for all this to work properly, internal clients will
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User need to be configured to query <span class="emphasis"><em>only</em></span> the internal
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User name servers for DNS queries. This could also be enforced via
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User filtering on the network.
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User internal clients will now be able to:
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User Look up any hostnames in the <code class="literal">site1</code>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User <code class="literal">site2.example.com</code> zones.
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User Look up any hostnames in the <code class="literal">site1.internal</code> and
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User <code class="literal">site2.internal</code> domains.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li>Look up any hostnames on the Internet.</li>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<li>Exchange mail with both internal and external people.</li>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Hosts on the Internet will be able to:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Look up any hostnames in the <code class="literal">site1</code>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="literal">site2.example.com</code> zones.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Exchange mail with anyone in the <code class="literal">site1</code> and
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="literal">site2.example.com</code> zones.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Here is an example configuration for the setup we just
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein described above. Note that this is only configuration information;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Internal DNS server config:
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinacl externals { <code class="varname">bastion-ips-go-here</code>; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein forward only;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein forwarders { // forward to external servers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="varname">bastion-ips-go-here</code>;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow-transfer { none; }; // sample allow-transfer (no one)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow-query { internals; externals; }; // restrict query access
zone "site1.example.com" { // sample master zone
zone "site2.example.com" { // sample slave zone
zone "site1.internal" {
zone "site2.internal" {
zone "site1.example.com" { // sample slave zone
zone "site2.example.com" {
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
<strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
both servers. The following is added to each server's <code class="filename">named.conf</code> file:
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
that the tools shipped with BIND 9.2.x and earlier are not compatible
<strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
<a name="id2572033"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.