Bv9ARM.ch04.html revision ca67ebfe9eef0b8f04179f7e511a19e0337a5422
010a51c427bfb6ab658fc0056955a1a5b69810beTinderbox User - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - Copyright (C) 2000-2003 Internet Software Consortium.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - Permission to use, copy, modify, and distribute this software for any
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - purpose with or without fee is hereby granted, provided that the above
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - copyright notice and this permission notice appear in all copies.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<!-- $Id: Bv9ARM.ch04.html,v 1.96 2009/06/17 23:12:09 tbox Exp $ -->
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<title>Chapter�4.�Advanced DNS Features</title>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<table width="100%" summary="Navigation header">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<div class="titlepage"><div><div><h2 class="title">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570510">Split DNS</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570529">Example split DNS setup</a></span></dt></dl></dd>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571030">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571104">Copying the Shared Secret to Both Machines</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571114">Informing the Servers of the Key's Existence</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563989">Instructing the Server to Use the Key</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564115">TSIG Key Based Access Control</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564163">Errors</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571549">TKEY</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571598">SIG(0)</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571803">Generating Keys</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571950">Signing the Zone</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572032">Configuring Servers</a></span></dt>
010a51c427bfb6ab658fc0056955a1a5b69810beTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572201">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572400">Address Lookups Using AAAA Records</a></span></dt>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572421">Address to Name Lookups Using Nibble Format</a></span></dt>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<a name="notify"></a>Notify</h2></div></div></div>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater servers to notify their slave servers of changes to a zone's data. In
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater slave will check to see that its version of the zone is the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User current version and, if not, initiate a zone transfer.
010a51c427bfb6ab658fc0056955a1a5b69810beTinderbox User For more information about <acronym class="acronym">DNS</acronym>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span><strong class="command">NOTIFY</strong></span>, see the description of the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the description of the zone option <span><strong class="command">also-notify</strong></span> in
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont protocol is specified in RFC 1996.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User zones that it loads.
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Dynamic Update is a method for adding, replacing or deleting
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont records in a master server by sending it a special form of DNS
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont messages. The format and meaning of these messages is specified
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Dynamic update is enabled by including an
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span><strong class="command">allow-update</strong></span>, <span><strong class="command">update-policy</strong></span>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater clause in the <span><strong class="command">zone</strong></span> statement, or by setting the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span><strong class="command">ddns-autconf</strong></span> option to <strong class="userinput"><code>yes</code></strong>.
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater If the zone's <span><strong class="command">ddns-autoconf</strong></span> option is set to
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater <strong class="userinput"><code>yes</code></strong>, then updates to the zone
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater will be permitted for the key <code class="filename">ddns.key</code>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User which will be generated by <span><strong class="command">named</strong></span> at startup.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User The <span><strong class="command">tkey-gssapi-credential</strong></span> and
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span><strong class="command">tkey-domain</strong></span> clauses in the
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User <span><strong class="command">options</strong></span> statement enable the
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User server to negotiate keys that can be matched against those
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User in <span><strong class="command">update-policy</strong></span> or
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User <span><strong class="command">allow-update</strong></span>.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User Updating of secure zones (zones using DNSSEC) follows RFC
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User 3007: RRSIG, NSEC and NSEC3 records affected by updates are
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User automatically regenerated by the server using an online
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User zone key. Update authorization is based on transaction
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User signatures and an explicit server policy.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<div class="titlepage"><div><div><h3 class="title">
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User<a name="journal"></a>The journal file</h3></div></div></div>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User All changes made to a zone using dynamic update are stored
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User in the zone's journal file. This file is automatically created
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User by the server when the first dynamic update takes place.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User The name of the journal file is formed by appending the extension
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User <code class="filename">.jnl</code> to the name of the
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User corresponding zone
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User file unless specifically overridden. The journal file is in a
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User binary format and should not be edited manually.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User The server will also occasionally write ("dump")
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User the complete contents of the updated zone to its zone file.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User This is not done immediately after
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User each dynamic update, because that would be too slow when a large
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User zone is updated frequently. Instead, the dump is delayed by
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User up to 15 minutes, allowing additional updates to take place.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User When a server is restarted after a shutdown or crash, it will replay
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User the journal file to incorporate into the zone any updates that
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User place after the last zone dump.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User Changes that result from incoming incremental zone transfers are
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont journalled in a similar way.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont The zone files of dynamic zones cannot normally be edited by
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont hand because they are not guaranteed to contain the most recent
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont dynamic changes — those are only in the journal file.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont The only way to ensure that the zone file of a dynamic zone
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont is up to date is to run <span><strong class="command">rndc stop</strong></span>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User If you have to make changes to a dynamic zone
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater manually, the following procedure will work: Disable dynamic updates
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to the zone using
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater This will also remove the zone's <code class="filename">.jnl</code> file
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User and update the master file. Edit the zone file. Run
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater to reload the changed zone and re-enable dynamic updates.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The incremental zone transfer (IXFR) protocol is a way for
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont slave servers to transfer only changed data, instead of having to
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont transfer the entire zone. The IXFR protocol is specified in RFC
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User When acting as a master, <acronym class="acronym">BIND</acronym> 9
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User supports IXFR for those zones
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont where the necessary change history information is available. These
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater include master zones maintained by dynamic update and slave zones
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User whose data was obtained by IXFR. For manually maintained master
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User zones, and for slave zones obtained by performing a full zone
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater transfer (AXFR), IXFR is supported only if the option
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span><strong class="command">ixfr-from-differences</strong></span> is set
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to <strong class="userinput"><code>yes</code></strong>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User attempt to use IXFR unless
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont it is explicitly disabled. For more information about disabling
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User of the <span><strong class="command">server</strong></span> statement.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<a name="id2570510"></a>Split DNS</h2></div></div></div>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Setting up different views, or visibility, of the DNS space to
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater internal and external resolvers is usually referred to as a
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="emphasis"><em>Split DNS</em></span> setup. There are several
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User reasons an organization would want to set up its DNS this way.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User One common reason for setting up a DNS system this way is
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont to hide "internal" DNS information from "external" clients on the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Internet. There is some debate as to whether or not this is actually
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater Internal DNS information leaks out in many ways (via email headers,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User for example) and most savvy "attackers" can find the information
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User they need using other means.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater However, since listing addresses of internal servers that
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater external clients cannot possibly reach can result in
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater connection delays and other annoyances, an organization may
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater choose to use a Split DNS to present a consistent view of itself
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater to the outside world.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Another common reason for setting up a Split DNS system is
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont to allow internal networks that are behind filters or in RFC 1918
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User space (reserved IP space, as documented in RFC 1918) to resolve DNS
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User on the Internet. Split DNS can also be used to allow mail from outside
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater back in to the internal network.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="titlepage"><div><div><h3 class="title">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<a name="id2570529"></a>Example split DNS setup</h3></div></div></div>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User has several corporate sites that have an internal network with
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Internet Protocol (IP) space and an external demilitarized zone (DMZ),
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User or "outside" section of a network, that is available to the public.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User to be able to resolve external hostnames and to exchange mail with
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User people on the outside. The company also wants its internal resolvers
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to have access to certain internal-only zones that are not available
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont at all outside of the internal network.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont In order to accomplish this, the company will set up two sets
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont of name servers. One set will be on the inside network (in the
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont IP space) and the other set will be on bastion hosts, which are
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User hosts that can talk to both sides of its network, in the DMZ.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The internal servers will be configured to forward all queries,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User and <code class="filename">site2.example.com</code>, to the servers
6f1205897504b8f50b1785975482c995888dd630Tinderbox User DMZ. These internal servers will have complete sets of information
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User and <code class="filename">site2.internal</code>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater the internal name servers must be configured to disallow all queries
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to these domains from any external hosts, including the bastion
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater The external servers, which are on the bastion hosts, will
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater This could include things such as the host records for public servers
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User should have special MX records that contain wildcard (`*') records
010a51c427bfb6ab658fc0056955a1a5b69810beTinderbox User pointing to the bastion hosts. This is needed because external mail
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User servers do not have any other way of looking up how to deliver mail
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to those internal hosts. With the wildcard records, the mail will
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User be delivered to the bastion host, which can then forward it on to
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater internal hosts.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Here's an example of a wildcard MX record:
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User Now that they accept mail on behalf of anything in the internal
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User network, the bastion hosts will need to know how to deliver mail
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater to internal hosts. In order for this to work properly, the resolvers
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the bastion hosts will need to be configured to point to the internal
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater name servers for DNS resolution.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Queries for internal hostnames will be answered by the internal
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater servers, and queries for external hostnames will be forwarded back
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater out to the DNS servers on the bastion hosts.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User In order for all this to work properly, internal clients will
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater need to be configured to query <span class="emphasis"><em>only</em></span> the internal
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User name servers for DNS queries. This could also be enforced via
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater filtering on the network.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User internal clients will now be able to:
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Look up any hostnames in the <code class="literal">site1</code>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater <code class="literal">site2.example.com</code> zones.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Look up any hostnames in the <code class="literal">site1.internal</code> and
79cf9524b15ca65f55fd6913e6cf01b5581c588aAutomatic Updater <code class="literal">site2.internal</code> domains.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<li>Look up any hostnames on the Internet.</li>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<li>Exchange mail with both internal and external people.</li>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Hosts on the Internet will be able to:
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Look up any hostnames in the <code class="literal">site1</code>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater <code class="literal">site2.example.com</code> zones.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Exchange mail with anyone in the <code class="literal">site1</code> and
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User <code class="literal">site2.example.com</code> zones.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Here is an example configuration for the setup we just
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User described above. Note that this is only configuration information;
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Internal DNS server config:
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox Useracl internals { 172.16.72.0/24; 192.168.1.0/24; };
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox Useracl externals { <code class="varname">bastion-ips-go-here</code>; };
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User forward only;
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User // forward to external servers
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="varname">bastion-ips-go-here</code>;
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User // sample allow-transfer (no one)
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User allow-transfer { none; };
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User // restrict query access
010a51c427bfb6ab658fc0056955a1a5b69810beTinderbox User allow-query { internals; externals; };
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User // restrict recursion
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User allow-recursion { internals; };
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont// sample master zone
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User // do normal iterative resolution (do not forward)
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User forwarders { };
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User allow-query { internals; externals; };
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User allow-transfer { internals; };
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User// sample slave zone
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont masters { 172.16.72.3; };
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User forwarders { };
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User allow-query { internals; externals; };
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont allow-transfer { internals; };
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater forwarders { };
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont allow-query { internals; };
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User allow-transfer { internals; }
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User masters { 172.16.72.3; };
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater forwarders { };
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater allow-query { internals };
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont allow-transfer { internals; }
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User External (bastion host) DNS server config:
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox Useracl internals { 172.16.72.0/24; 192.168.1.0/24; };
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox Useracl externals { bastion-ips-go-here; };
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont // sample allow-transfer (no one)
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User allow-transfer { none; };
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User // default query access
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont allow-query { any; };
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User // restrict cache access
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User allow-query-cache { internals; externals; };
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont // restrict recursion
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont allow-recursion { internals; externals; };
zone "site1.example.com" {
zone "site2.example.com" {
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
<strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
both servers. The following is added to each server's <code class="filename">named.conf</code> file:
The algorithm, <code class="literal">hmac-md5</code>, is the only one supported by <acronym class="acronym">BIND</acronym>.
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
that the tools shipped with BIND 9.2.x and earlier are not compatible
<strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
controls. These are here to ensure that <span><strong class="command">named</strong></span> is immune
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
<a name="id2572201"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.