b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<html>

c0fe5db522b52f27e030655ce2c03e05cbbc1558Kay Sievers<head>

c3090674833c8bd34fbdb0e743f1c47d85dd14fbLennart Poettering<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

2d19f95caef8668aeb5c05a18b39c6b79f710856Kay Sievers<title>Chapter�4.�Advanced DNS Features</title>

2d19f95caef8668aeb5c05a18b39c6b79f710856Kay Sievers<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

314b4b0a68d9ab35de981923a088fc8c8820caa5Lennart Poettering<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

bfb7ec0ebab18a0bc8a99997f541c980a323c867Lennart Poettering<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

a4cc3e5ccc0a3033d764a9eb3ae5ee90db560682Lennart Poettering<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">

a4cc3e5ccc0a3033d764a9eb3ae5ee90db560682Lennart Poettering<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">

a4cc3e5ccc0a3033d764a9eb3ae5ee90db560682Lennart Poettering</head>

0028da22f194f7c0ca7169a48cf32e1bc0f9138aLennart Poettering<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

a4cc3e5ccc0a3033d764a9eb3ae5ee90db560682Lennart Poettering<div class="navheader">

7e2c2bcf1285d124c9c656ff46cafa4db0a987c9Lennart Poettering<table width="100%" summary="Navigation header">

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>

7e2c2bcf1285d124c9c656ff46cafa4db0a987c9Lennart Poettering<tr>

7e2c2bcf1285d124c9c656ff46cafa4db0a987c9Lennart Poettering<td width="20%" align="left">

7e2c2bcf1285d124c9c656ff46cafa4db0a987c9Lennart Poettering<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>

7e2c2bcf1285d124c9c656ff46cafa4db0a987c9Lennart Poettering<th width="60%" align="center">�</th>

7b4da18c1717f811bae67ea3d39290495857c03eLennart Poettering<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>

7b4da18c1717f811bae67ea3d39290495857c03eLennart Poettering</td>

788f75a0e766738c052086e856b7c1b1b676de6bLennart Poettering</tr>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering</table>

205b7fa46594b38901636b167b02a8725d915b79Lennart Poettering<hr>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering</div>

95b4be171988fc2ea33377b1b4450e5d410add7bLennart Poettering<div class="chapter" lang="en">

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<div class="titlepage"><div><div><h2 class="title">

499519c6499e92d1953fd79b99a805b9278d5ea1Lennart Poettering<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<div class="toc">

490b7e47093d491a2bdb1084fe92b796f4e07eefLennart Poettering<p><b>Table of Contents</b></p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dl>

490b7e47093d491a2bdb1084fe92b796f4e07eefLennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>

5965984d6b9f7751d6281028142ecf3ca475f156Lennart Poettering<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570876">Split DNS</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570894">Example split DNS setup</a></span></dt></dl></dd>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dd><dl>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571532">Generate Shared Keys for Each Pair of Hosts</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571606">Copying the Shared Secret to Both Machines</a></span></dt>

e41814846c19a48f4490169d82e359e005c4db45Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571617">Informing the Servers of the Key's Existence</a></span></dt>

c0fe5db522b52f27e030655ce2c03e05cbbc1558Kay Sievers<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571653">Instructing the Server to Use the Key</a></span></dt>

e9fd44b728ff1fc0d1f24fccb87a767f6865df27Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571779">TSIG Key Based Access Control</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571828">Errors</a></span></dt>

e9fd44b728ff1fc0d1f24fccb87a767f6865df27Lennart Poettering</dl></dd>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571842">TKEY</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571959">SIG(0)</a></span></dt>

3040728b6691ea2e9df3a2060e2d49a792bbaedaLennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dd><dl>

8ed206517c2be381324ac5832bf34cc14024270eLennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572027">Generating Keys</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572174">Signing the Zone</a></span></dt>

e6c6e7afffa80ad74efdb1ddfa815294624f1608Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572256">Configuring Servers</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering</dl></dd>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dd><dl>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2583664">Validating Resolver</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2583686">Authoritative Server</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering</dl></dd>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dd><dl>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609468">Prerequisites</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607691">Building BIND 9 with PKCS#11</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607786">PKCS #11 Tools</a></span></dt>

e673ad0415d89c322e5b1a121e411f1b1d8075c0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607817">Using the HSM</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609927">Specifying the engine on the command line</a></span></dt>

e673ad0415d89c322e5b1a121e411f1b1d8075c0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610519">Running named with automatic zone re-signing</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering</dl></dd>

e673ad0415d89c322e5b1a121e411f1b1d8075c0Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572544">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dd><dl>

e673ad0415d89c322e5b1a121e411f1b1d8075c0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572674">Address Lookups Using AAAA Records</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572695">Address to Name Lookups Using Nibble Format</a></span></dt>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering</dl></dd>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering</dl>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering</div>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<div class="sect1" lang="en">

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<div class="titlepage"><div><div><h2 class="title" style="clear: both">

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<a name="notify"></a>Notify</h2></div></div></div>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering servers to notify their slave servers of changes to a zone's data. In

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering slave will check to see that its version of the zone is the

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering current version and, if not, initiate a zone transfer.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering For more information about <acronym class="acronym">DNS</acronym>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering <span><strong class="command">NOTIFY</strong></span>, see the description of the

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering the description of the zone option <span><strong class="command">also-notify</strong></span> in

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>. The <span><strong class="command">NOTIFY</strong></span>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering protocol is specified in RFC 1996.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<h3 class="title">Note</h3>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering zones that it loads.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering </div>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering</div>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<div class="sect1" lang="en">

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<div class="titlepage"><div><div><h2 class="title" style="clear: both">

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering Dynamic Update is a method for adding, replacing or deleting

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering records in a master server by sending it a special form of DNS

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering messages. The format and meaning of these messages is specified

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering in RFC 2136.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering Dynamic update is enabled by including an

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering clause in the <span><strong class="command">zone</strong></span> statement.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering If the zone's <span><strong class="command">update-policy</strong></span> is set to

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering <strong class="userinput"><code>local</code></strong>, updates to the zone

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering will be permitted for the key <code class="varname">local-ddns</code>,

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering which will be generated by <span><strong class="command">named</strong></span> at startup.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for more details.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering Dynamic updates using Kerberos signed requests can be made

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering using the TKEY/GSS protocol by setting either the

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering Kerberos signed requests will be matched against the update

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering policies for the zone, using the Kerberos principal as the

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering signer for the request.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

8b04b925e587ff56568c62ff5ad3f2ea2b34ca7aLennart Poettering Updating of secure zones (zones using DNSSEC) follows RFC

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering 3007: RRSIG, NSEC and NSEC3 records affected by updates are

7361c3b4e1e28a7eb4354a3da354b22e79782141Lennart Poettering automatically regenerated by the server using an online

e673ad0415d89c322e5b1a121e411f1b1d8075c0Lennart Poettering zone key. Update authorization is based on transaction

e673ad0415d89c322e5b1a121e411f1b1d8075c0Lennart Poettering signatures and an explicit server policy.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<div class="sect2" lang="en">

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<div class="titlepage"><div><div><h3 class="title">

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<a name="journal"></a>The journal file</h3></div></div></div>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering All changes made to a zone using dynamic update are stored

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering in the zone's journal file. This file is automatically created

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering by the server when the first dynamic update takes place.

d2e83c23f5f0cdd3b6ec05c5c40209708721e704Kay Sievers The name of the journal file is formed by appending the extension

d2e83c23f5f0cdd3b6ec05c5c40209708721e704Kay Sievers <code class="filename">.jnl</code> to the name of the

d2e83c23f5f0cdd3b6ec05c5c40209708721e704Kay Sievers corresponding zone

d2e83c23f5f0cdd3b6ec05c5c40209708721e704Kay Sievers file unless specifically overridden. The journal file is in a

f6113d42d015ad9f3a9e702a09eb8006511a4424Kay Sievers binary format and should not be edited manually.

f6113d42d015ad9f3a9e702a09eb8006511a4424Kay Sievers </p>

d2e83c23f5f0cdd3b6ec05c5c40209708721e704Kay Sievers<p>

7a43e910ce00eef22fd42925ae4c85cbea1b1320Kay Sievers The server will also occasionally write ("dump")

d2e83c23f5f0cdd3b6ec05c5c40209708721e704Kay Sievers the complete contents of the updated zone to its zone file.

c55b1b59b837dfd924b704d457ed77c55f8bfeabLennart Poettering This is not done immediately after

6c1703cc35b3a5f93ad3cc813fea10cb9a636102Kay Sievers each dynamic update, because that would be too slow when a large

6c1703cc35b3a5f93ad3cc813fea10cb9a636102Kay Sievers zone is updated frequently. Instead, the dump is delayed by

6c1703cc35b3a5f93ad3cc813fea10cb9a636102Kay Sievers up to 15 minutes, allowing additional updates to take place.

08f9588885c5d65694b324846b0ed19211d2c178Lennart Poettering During the dump process, transient files will be created

59704f3e937c664f7324bfbb08483c358dfbc4c6Lennart Poettering with the extensions <code class="filename">.jnw</code> and

59704f3e937c664f7324bfbb08483c358dfbc4c6Lennart Poettering <code class="filename">.jbk</code>; under ordinary circumstances, these

59704f3e937c664f7324bfbb08483c358dfbc4c6Lennart Poettering will be removed when the dump is complete, and can be safely

9ec82de1725ddaab333149171b790d62c47ae133Lennart Poettering ignored.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering When a server is restarted after a shutdown or crash, it will replay

e707c49485b8f4f2ec040d3da232d39153e650b9Lennart Poettering the journal file to incorporate into the zone any updates that

e707c49485b8f4f2ec040d3da232d39153e650b9Lennart Poettering took

e707c49485b8f4f2ec040d3da232d39153e650b9Lennart Poettering place after the last zone dump.

e707c49485b8f4f2ec040d3da232d39153e650b9Lennart Poettering </p>

7f8732835295fce29479b1afc9e8ee801852db09Lennart Poettering<p>

7f8732835295fce29479b1afc9e8ee801852db09Lennart Poettering Changes that result from incoming incremental zone transfers are

7f8732835295fce29479b1afc9e8ee801852db09Lennart Poettering also

e707c49485b8f4f2ec040d3da232d39153e650b9Lennart Poettering journalled in a similar way.

e707c49485b8f4f2ec040d3da232d39153e650b9Lennart Poettering </p>

e707c49485b8f4f2ec040d3da232d39153e650b9Lennart Poettering<p>

a19554ed92a7460b4e709cc40c558cde827ab85bLennart Poettering The zone files of dynamic zones cannot normally be edited by

a19554ed92a7460b4e709cc40c558cde827ab85bLennart Poettering hand because they are not guaranteed to contain the most recent

1cb88f2c61f590083847d65cd5a518e834da87d3Lennart Poettering dynamic changes &#8212; those are only in the journal file.

1cb88f2c61f590083847d65cd5a518e834da87d3Lennart Poettering The only way to ensure that the zone file of a dynamic zone

1cb88f2c61f590083847d65cd5a518e834da87d3Lennart Poettering is up to date is to run <span><strong class="command">rndc stop</strong></span>.

1cb88f2c61f590083847d65cd5a518e834da87d3Lennart Poettering </p>

1cb88f2c61f590083847d65cd5a518e834da87d3Lennart Poettering<p>

603cd8fe07cb03e8b11722d1a732e569e5a46347Lennart Poettering If you have to make changes to a dynamic zone

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering manually, the following procedure will work: Disable dynamic updates

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering to the zone using

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.

6d0274f11547a0f11200bb82bf598a5a253e12cfLennart Poettering This will also remove the zone's <code class="filename">.jnl</code> file

a7a3f28be404875eff20443a0fa8088bcc4c18dfLennart Poettering and update the master file. Edit the zone file. Run

a7a3f28be404875eff20443a0fa8088bcc4c18dfLennart Poettering <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>

9b27910bb0c23e5225fc1177176e4f9bf9bf787bLennart Poettering to reload the changed zone and re-enable dynamic updates.

9b27910bb0c23e5225fc1177176e4f9bf9bf787bLennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering</div>

08f9588885c5d65694b324846b0ed19211d2c178Lennart Poettering</div>

7d8197d1f25c1291855bb6cffc705444978c6d8dKay Sievers<div class="sect1" lang="en">

7d8197d1f25c1291855bb6cffc705444978c6d8dKay Sievers<div class="titlepage"><div><div><h2 class="title" style="clear: both">

7d8197d1f25c1291855bb6cffc705444978c6d8dKay Sievers<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>

7d8197d1f25c1291855bb6cffc705444978c6d8dKay Sievers<p>

7d8197d1f25c1291855bb6cffc705444978c6d8dKay Sievers The incremental zone transfer (IXFR) protocol is a way for

7d8197d1f25c1291855bb6cffc705444978c6d8dKay Sievers slave servers to transfer only changed data, instead of having to

7d8197d1f25c1291855bb6cffc705444978c6d8dKay Sievers transfer the entire zone. The IXFR protocol is specified in RFC

9ee58bddeb6eb044753167e0047fe836479ca5dbKay Sievers 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.

9ee58bddeb6eb044753167e0047fe836479ca5dbKay Sievers </p>

dcfc4b2e5c1af6375488c00bdc6fb8122f86c4d7Lennart Poettering<p>

71ef24d09573874c0f7bc323c07c3aec2a458707Lennart Poettering When acting as a master, <acronym class="acronym">BIND</acronym> 9

71ef24d09573874c0f7bc323c07c3aec2a458707Lennart Poettering supports IXFR for those zones

71ef24d09573874c0f7bc323c07c3aec2a458707Lennart Poettering where the necessary change history information is available. These

71ef24d09573874c0f7bc323c07c3aec2a458707Lennart Poettering include master zones maintained by dynamic update and slave zones

1b89884ba31cbe98f159ce2c7d6fac5f6a57698fLennart Poettering whose data was obtained by IXFR. For manually maintained master

1b89884ba31cbe98f159ce2c7d6fac5f6a57698fLennart Poettering zones, and for slave zones obtained by performing a full zone

1920e37ef9fec04a1fd882f66bfa7a9a5b91c536Lennart Poettering transfer (AXFR), IXFR is supported only if the option

1920e37ef9fec04a1fd882f66bfa7a9a5b91c536Lennart Poettering <span><strong class="command">ixfr-from-differences</strong></span> is set

15abdb9a6f34628b04b887e0b9649fa582d6cd37Lennart Poettering to <strong class="userinput"><code>yes</code></strong>.

1920e37ef9fec04a1fd882f66bfa7a9a5b91c536Lennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering attempt to use IXFR unless

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering it is explicitly disabled. For more information about disabling

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering of the <span><strong class="command">server</strong></span> statement.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering</div>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<div class="sect1" lang="en">

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<div class="titlepage"><div><div><h2 class="title" style="clear: both">

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<a name="id2570876"></a>Split DNS</h2></div></div></div>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering Setting up different views, or visibility, of the DNS space to

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering internal and external resolvers is usually referred to as a

f801968466fed39d50d410b30ac828c26722cc95Lennart Poettering <span class="emphasis"><em>Split DNS</em></span> setup. There are several

41f9172f427bdbb8221c64029f78364b8dd4e527Lennart Poettering reasons an organization would want to set up its DNS this way.

41f9172f427bdbb8221c64029f78364b8dd4e527Lennart Poettering </p>

178cc7700c23ac088cd7190d7854282075028d91Lennart Poettering<p>

de34a42bcad31f0648ac0f249801310e0dbf83f9Lennart Poettering One common reason for setting up a DNS system this way is

de34a42bcad31f0648ac0f249801310e0dbf83f9Lennart Poettering to hide "internal" DNS information from "external" clients on the

424a19f8a2061c6b058283228734010b2fa24db4Lennart Poettering Internet. There is some debate as to whether or not this is actually

41f9172f427bdbb8221c64029f78364b8dd4e527Lennart Poettering useful.

424a19f8a2061c6b058283228734010b2fa24db4Lennart Poettering Internal DNS information leaks out in many ways (via email headers,

424a19f8a2061c6b058283228734010b2fa24db4Lennart Poettering for example) and most savvy "attackers" can find the information

424a19f8a2061c6b058283228734010b2fa24db4Lennart Poettering they need using other means.

a1cccad1fe88ddd6943e18af97cf7f466296970fLennart Poettering However, since listing addresses of internal servers that

a1cccad1fe88ddd6943e18af97cf7f466296970fLennart Poettering external clients cannot possibly reach can result in

8556879e0d14925ce897875c6c264368e2d048c2Lennart Poettering connection delays and other annoyances, an organization may

d05c556b6b2a680ec8b51ecbbc99a9ab14c28eedZbigniew Jędrzejewski-Szmek choose to use a Split DNS to present a consistent view of itself

8556879e0d14925ce897875c6c264368e2d048c2Lennart Poettering to the outside world.

8556879e0d14925ce897875c6c264368e2d048c2Lennart Poettering </p>

8556879e0d14925ce897875c6c264368e2d048c2Lennart Poettering<p>

4a30847b9d71e0381948d68279c8f775b9de7850Lennart Poettering Another common reason for setting up a Split DNS system is

4a30847b9d71e0381948d68279c8f775b9de7850Lennart Poettering to allow internal networks that are behind filters or in RFC 1918

5e8b28838e493b59628322b69580097ef7dd9384Lennart Poettering space (reserved IP space, as documented in RFC 1918) to resolve DNS

5e8b28838e493b59628322b69580097ef7dd9384Lennart Poettering on the Internet. Split DNS can also be used to allow mail from outside

d87be9b0af81a6e07d4fb3028e45c4409100dc26Lennart Poettering back in to the internal network.

d87be9b0af81a6e07d4fb3028e45c4409100dc26Lennart Poettering </p>

88f89a9b6d25dfcb89691727c8cdaf01f4090b72Lennart Poettering<div class="sect2" lang="en">

88f89a9b6d25dfcb89691727c8cdaf01f4090b72Lennart Poettering<div class="titlepage"><div><div><h3 class="title">

38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<a name="id2570894"></a>Example split DNS setup</h3></div></div></div>

38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<p>

d8b78264a5245307babbf5af8e39d6d4a1ae095fLennart Poettering Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>

d8b78264a5245307babbf5af8e39d6d4a1ae095fLennart Poettering (<code class="literal">example.com</code>)

d8b78264a5245307babbf5af8e39d6d4a1ae095fLennart Poettering has several corporate sites that have an internal network with

d8b78264a5245307babbf5af8e39d6d4a1ae095fLennart Poettering reserved

7560fffcd2531786b9c1ca657667a43e90331326Lennart Poettering Internet Protocol (IP) space and an external demilitarized zone (DMZ),

7560fffcd2531786b9c1ca657667a43e90331326Lennart Poettering or "outside" section of a network, that is available to the public.

68f160039eb78fe122cfe0d4c49695ae91f6f0d1Lennart Poettering </p>

0790b9fed42eefc4e22dbbe2337cba9713b7848cLennart Poettering<p>

5a7e959984788cf89719dec31999409b63bb802bLennart Poettering <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients

5a7e959984788cf89719dec31999409b63bb802bLennart Poettering to be able to resolve external hostnames and to exchange mail with

68f160039eb78fe122cfe0d4c49695ae91f6f0d1Lennart Poettering people on the outside. The company also wants its internal resolvers

68f160039eb78fe122cfe0d4c49695ae91f6f0d1Lennart Poettering to have access to certain internal-only zones that are not available

68f160039eb78fe122cfe0d4c49695ae91f6f0d1Lennart Poettering at all outside of the internal network.

68f160039eb78fe122cfe0d4c49695ae91f6f0d1Lennart Poettering </p>

edca2e2348b314e2d892fe6f8ae276fdc223f014Thomas Hindoe Paaboel Andersen<p>

68f160039eb78fe122cfe0d4c49695ae91f6f0d1Lennart Poettering In order to accomplish this, the company will set up two sets

0790b9fed42eefc4e22dbbe2337cba9713b7848cLennart Poettering of name servers. One set will be on the inside network (in the

5aea932fd54db835b77709ddeba30732648aae53Lennart Poettering reserved

5aea932fd54db835b77709ddeba30732648aae53Lennart Poettering IP space) and the other set will be on bastion hosts, which are

918943c75fbd9dee87ff396de3a7c63a8d228433Lennart Poettering "proxy"

918943c75fbd9dee87ff396de3a7c63a8d228433Lennart Poettering hosts that can talk to both sides of its network, in the DMZ.

fd4d89b2c0b31da01d134301e30916931ae3c7d9Lennart Poettering </p>

fd4d89b2c0b31da01d134301e30916931ae3c7d9Lennart Poettering<p>

8230e26dc954a40d8c9dbc8ddd9376117021f9d2Lennart Poettering The internal servers will be configured to forward all queries,

8230e26dc954a40d8c9dbc8ddd9376117021f9d2Lennart Poettering except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,

4d9909c93e9c58789c71b34555a1908307c6849eLennart Poettering and <code class="filename">site2.example.com</code>, to the servers

4d9909c93e9c58789c71b34555a1908307c6849eLennart Poettering in the

47ae7201b1df43bd3da83a19e38483b0e5694c99Lennart Poettering DMZ. These internal servers will have complete sets of information

47ae7201b1df43bd3da83a19e38483b0e5694c99Lennart Poettering for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,

88a6c5894c9d3f85d63b87b040c130366b4006ceKay Sievers and <code class="filename">site2.internal</code>.

8351ceaea9480d9c2979aa2ff0f4982cfdfef58dLennart Poettering </p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering<p>

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering the internal name servers must be configured to disallow all queries

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering to these domains from any external hosts, including the bastion

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering hosts.

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering </p>

c66d36e5b5ae81f3c5297d6dacadc13c88c530f6Lennart Poettering<p>

c649f72baed31c54c8384c3ca1d203fab6e98d08David Strauss The external servers, which are on the bastion hosts, will

c649f72baed31c54c8384c3ca1d203fab6e98d08David Strauss be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.

be0aa78406c73a6625308dc0672b5ff27ec6f9a8Lennart Poettering This could include things such as the host records for public servers

be0aa78406c73a6625308dc0672b5ff27ec6f9a8Lennart Poettering (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),

9946996cda11a18b44d82344676e5a0e96339408Lennart Poettering and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).

9946996cda11a18b44d82344676e5a0e96339408Lennart Poettering </p>

9946996cda11a18b44d82344676e5a0e96339408Lennart Poettering<p>

3471bedc005fab03f40b99bf6599645330adcd9eLennart Poettering In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones

3471bedc005fab03f40b99bf6599645330adcd9eLennart Poettering should have special MX records that contain wildcard (`*') records

eeb875144e5a80d0521461a139f13fc8014d77d8Lennart Poettering pointing to the bastion hosts. This is needed because external mail

eeb875144e5a80d0521461a139f13fc8014d77d8Lennart Poettering servers do not have any other way of looking up how to deliver mail

59cea26a349cfa8db906b520dac72563dd773ff2Lennart Poettering to those internal hosts. With the wildcard records, the mail will

35eb6b124ebdf82bd77aad6e44962a9a039c4d33Lennart Poettering be delivered to the bastion host, which can then forward it on to

9473414219330b9febc1d0712bbf49ad74cf962fLennart Poettering internal hosts.

f1a8e221ecacea23883df57951e291a910463948Lennart Poettering </p>

7b63bde1ed0d4f30c799c9b4737fa926465929f9Lennart Poettering<p>

7b63bde1ed0d4f30c799c9b4737fa926465929f9Lennart Poettering Here's an example of a wildcard MX record:

5b40d33761376354116a8cddb9b9fbdb6c4727d6Lennart Poettering </p>

5b40d33761376354116a8cddb9b9fbdb6c4727d6Lennart Poettering<pre class="programlisting">* IN MX 10 external1.example.com.</pre>

b86fa936ce36976cd6a96034cf14ea267695bcb2Lennart Poettering<p>

b86fa936ce36976cd6a96034cf14ea267695bcb2Lennart Poettering Now that they accept mail on behalf of anything in the internal

d3a3f22267a7dac426b07a7ed0baa1632f5daf04Kay Sievers network, the bastion hosts will need to know how to deliver mail

d3a3f22267a7dac426b07a7ed0baa1632f5daf04Kay Sievers to internal hosts. In order for this to work properly, the resolvers

d3a3f22267a7dac426b07a7ed0baa1632f5daf04Kay Sievers on

d3a3f22267a7dac426b07a7ed0baa1632f5daf04Kay Sievers the bastion hosts will need to be configured to point to the internal

d3a3f22267a7dac426b07a7ed0baa1632f5daf04Kay Sievers name servers for DNS resolution.

d3a3f22267a7dac426b07a7ed0baa1632f5daf04Kay Sievers </p>

d3a3f22267a7dac426b07a7ed0baa1632f5daf04Kay Sievers<p>

d3a3f22267a7dac426b07a7ed0baa1632f5daf04Kay Sievers Queries for internal hostnames will be answered by the internal

d3a3f22267a7dac426b07a7ed0baa1632f5daf04Kay Sievers servers, and queries for external hostnames will be forwarded back

d3a3f22267a7dac426b07a7ed0baa1632f5daf04Kay Sievers out to the DNS servers on the bastion hosts.

465349c06d994dd2cc6b6fc4109ac0b9952d500aLennart Poettering </p>

06dab8e18aebf822392c7ca66c5bf3c1200fdec8Lennart Poettering<p>

06dab8e18aebf822392c7ca66c5bf3c1200fdec8Lennart Poettering In order for all this to work properly, internal clients will

e01a15b71e18bf2008aec7e75041ffa42eb80b80Kay Sievers need to be configured to query <span class="emphasis"><em>only</em></span> the internal

a888b352eb53b07daa24fa859ceeb254336b293dLennart Poettering name servers for DNS queries. This could also be enforced via

98ef27df896f36f0407eaa7ed9e295203b9c271bLennart Poettering selective

a0a3844815b0f346dba03f41245c620f432e462fLennart Poettering filtering on the network.

abd55b16547d0bb0ed1c31e72e16838f0f59f48bKay Sievers </p>

abd55b16547d0bb0ed1c31e72e16838f0f59f48bKay Sievers<p>

abd55b16547d0bb0ed1c31e72e16838f0f59f48bKay Sievers If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s

abd55b16547d0bb0ed1c31e72e16838f0f59f48bKay Sievers internal clients will now be able to:

abd55b16547d0bb0ed1c31e72e16838f0f59f48bKay Sievers </p>

abd55b16547d0bb0ed1c31e72e16838f0f59f48bKay Sievers<div class="itemizedlist"><ul type="disc">

b8217b7bd5fd171916a095b150fad4c3a37f5a41Kay Sievers<li>

18b754d345ecb0b15e369978aaffa72e9814b86aKay Sievers Look up any hostnames in the <code class="literal">site1</code>

068665b6fd9839f27bcace7e8f56c0baa6935272Lennart Poettering and

231931ffba1bca9d8759bbd6f797e56f8c6971faLennart Poettering <code class="literal">site2.example.com</code> zones.

231931ffba1bca9d8759bbd6f797e56f8c6971faLennart Poettering </li>

169c4f65131fbc7bcb51e7d5487a715cdcd0e0ebLennart Poettering<li>

169c4f65131fbc7bcb51e7d5487a715cdcd0e0ebLennart Poettering Look up any hostnames in the <code class="literal">site1.internal</code> and

bd08f2422491169e92dc0899d5ba848fcae4c15cLennart Poettering <code class="literal">site2.internal</code> domains.

bd08f2422491169e92dc0899d5ba848fcae4c15cLennart Poettering </li>

fb0864e7b9c6d26269ccea6ec5c0fd921c029781Lennart Poettering<li>Look up any hostnames on the Internet.</li>

fb0864e7b9c6d26269ccea6ec5c0fd921c029781Lennart Poettering<li>Exchange mail with both internal and external people.</li>

9586cdfab6a2638078702b7fea7e16b3a71899e2Lennart Poettering</ul></div>

9586cdfab6a2638078702b7fea7e16b3a71899e2Lennart Poettering<p>

7f110ff9b8828b477e87de7b28c708cf69a3d008Lennart Poettering Hosts on the Internet will be able to:

7f110ff9b8828b477e87de7b28c708cf69a3d008Lennart Poettering </p>

d0e5a33374cee92962af33dfc03873e470b014f6Lennart Poettering<div class="itemizedlist"><ul type="disc">

d0e5a33374cee92962af33dfc03873e470b014f6Lennart Poettering<li>

d0e5a33374cee92962af33dfc03873e470b014f6Lennart Poettering Look up any hostnames in the <code class="literal">site1</code>

d0e5a33374cee92962af33dfc03873e470b014f6Lennart Poettering and

53ed2eeb2e709a6c0d152d7bdf2d9a4b9f997a16Lennart Poettering <code class="literal">site2.example.com</code> zones.

53ed2eeb2e709a6c0d152d7bdf2d9a4b9f997a16Lennart Poettering </li>

abd55b16547d0bb0ed1c31e72e16838f0f59f48bKay Sievers<li>

680a1dbc354b2f437b4e06e27d4c43217977efdfLennart Poettering Exchange mail with anyone in the <code class="literal">site1</code> and

a6e87e90ede66815989ba2db92a07102a69906feLennart Poettering <code class="literal">site2.example.com</code> zones.

88f89a9b6d25dfcb89691727c8cdaf01f4090b72Lennart Poettering </li>

87a8baa35d6d65ac3b58ae8e26e338e67f8ae8edLennart Poettering</ul></div>

87a8baa35d6d65ac3b58ae8e26e338e67f8ae8edLennart Poettering<p>

87a8baa35d6d65ac3b58ae8e26e338e67f8ae8edLennart Poettering Here is an example configuration for the setup we just

87a8baa35d6d65ac3b58ae8e26e338e67f8ae8edLennart Poettering described above. Note that this is only configuration information;

5ba081b0fb02380cee4c2ff5bc7e05f869eb8415Lennart Poettering for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.

5ba081b0fb02380cee4c2ff5bc7e05f869eb8415Lennart Poettering </p>

4cbd9ecf45f64c3a9acc99d473fbf3be3687ae24Lennart Poettering<p>

4cbd9ecf45f64c3a9acc99d473fbf3be3687ae24Lennart Poettering Internal DNS server config:

65c0cf7108ae3537a357c74b4586a783baba82f9Lennart Poettering </p>

65c0cf7108ae3537a357c74b4586a783baba82f9Lennart Poettering<pre class="programlisting">

f957632b960a0a42999b38ded7089fa602b41745Kay Sievers

f957632b960a0a42999b38ded7089fa602b41745Kay Sieversacl internals { 172.16.72.0/24; 192.168.1.0/24; };

f957632b960a0a42999b38ded7089fa602b41745Kay Sievers

ad740100d108282d0244d5739d4dcc86fe4c5fdeLennart Poetteringacl externals { <code class="varname">bastion-ips-go-here</code>; };

ad740100d108282d0244d5739d4dcc86fe4c5fdeLennart Poettering

de6c78f8795743894431a099d26ec562a8acf3dfLennart Poetteringoptions {

7d441ddb5ca090b5a97f58ac4b4d97b3e84fa81eLennart Poettering ...

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering ...

14e639ae7a1dbf156273ce697d30fbc6c6594209Lennart Poettering forward only;

ff01d048b4c1455241c894cf7982662c9d28fd34Lennart Poettering // forward to external servers

ff01d048b4c1455241c894cf7982662c9d28fd34Lennart Poettering forwarders {

d3c7d7dd77b2b72315164b672462825cef6c0f9aKay Sievers <code class="varname">bastion-ips-go-here</code>;

72b9ed828bd22f3ddd74b6853c183eebf006d6d8Lennart Poettering };

1d6702e8d3877c0bebf3ac817dc45ff72f5ecfa9Lennart Poettering // sample allow-transfer (no one)

1d6702e8d3877c0bebf3ac817dc45ff72f5ecfa9Lennart Poettering allow-transfer { none; };

1d6702e8d3877c0bebf3ac817dc45ff72f5ecfa9Lennart Poettering // restrict query access

71092d70af35567dd154d3de2ce04ce62e157a7cLennart Poettering allow-query { internals; externals; };

71092d70af35567dd154d3de2ce04ce62e157a7cLennart Poettering // restrict recursion

1258097cd3cdbc5dd3d264850119e553a29c5068Lennart Poettering allow-recursion { internals; };

1258097cd3cdbc5dd3d264850119e553a29c5068Lennart Poettering ...

1258097cd3cdbc5dd3d264850119e553a29c5068Lennart Poettering ...

a4c279f87451186b8beb1b8cc21c7cad561ecf4bLennart Poettering};

a4c279f87451186b8beb1b8cc21c7cad561ecf4bLennart Poettering

7c697168102cb64c5cb65a542959684014da99c7Lennart Poettering// sample master zone

253ee27a0c7a410d27d490bb79ea97caed6a2b68Lennart Poetteringzone "site1.example.com" {

71092d70af35567dd154d3de2ce04ce62e157a7cLennart Poettering type master;

8d0e38a2b966799af884e78a54fd6a2dffa44788Lennart Poettering file "m/site1.example.com";

f28f1daf754a9a07de90e6fc4ada581bf5de677dLennart Poettering // do normal iterative resolution (do not forward)

f28f1daf754a9a07de90e6fc4ada581bf5de677dLennart Poettering forwarders { };

f28f1daf754a9a07de90e6fc4ada581bf5de677dLennart Poettering allow-query { internals; externals; };

f28f1daf754a9a07de90e6fc4ada581bf5de677dLennart Poettering allow-transfer { internals; };

88a07670cfa974a605c7c7b520b8a3135fce37f9Lennart Poettering};

88a07670cfa974a605c7c7b520b8a3135fce37f9Lennart Poettering

88a07670cfa974a605c7c7b520b8a3135fce37f9Lennart Poettering// sample slave zone

71092d70af35567dd154d3de2ce04ce62e157a7cLennart Poetteringzone "site2.example.com" {

916abb21d0a6653e0187b91591e492026886b0a4Lennart Poettering type slave;

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering file "s/site2.example.com";

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering masters { 172.16.72.3; };

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering forwarders { };

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering allow-query { internals; externals; };

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering allow-transfer { internals; };

b44be3ecf6326c27aa2c6c6d1fe34e22e22592a0Lennart Poettering};

b23de6af893c11da4286bc416455cd0926d1532eLennart Poettering

21bdae12e11ae20460715475d8a0c991f15464acLennart Poetteringzone "site1.internal" {

21bdae12e11ae20460715475d8a0c991f15464acLennart Poettering type master;

9534ce54858c67363b841cdbdc315140437bfdb4Lennart Poettering file "m/site1.internal";

9534ce54858c67363b841cdbdc315140437bfdb4Lennart Poettering forwarders { };

68c7d001f4117f0c3d0a4582e32cbb03ae5fac57Lennart Poettering allow-query { internals; };

796b06c21b62d13c9021e2fbd9c58a5c6edb2764Kay Sievers allow-transfer { internals; }

68c7d001f4117f0c3d0a4582e32cbb03ae5fac57Lennart Poettering};

68c7d001f4117f0c3d0a4582e32cbb03ae5fac57Lennart Poettering

7a2a0b907b5cc60f5d9a871997d7d6e7f62bf4d8Lennart Poetteringzone "site2.internal" {

253ee27a0c7a410d27d490bb79ea97caed6a2b68Lennart Poettering type slave;

5d0fcd7c8d29340ac9425c309e8ac436a9af699cLennart Poettering file "s/site2.internal";

5d0fcd7c8d29340ac9425c309e8ac436a9af699cLennart Poettering masters { 172.16.72.3; };

8bbabc447b1d913bd21faf97c7b17d20d315d2b4Lennart Poettering forwarders { };

f530371f1f85a070d7d0fb5112146a43533ae00bLennart Poettering allow-query { internals };

e707c49485b8f4f2ec040d3da232d39153e650b9Lennart Poettering allow-transfer { internals; }

a19554ed92a7460b4e709cc40c558cde827ab85bLennart Poettering};

a73d88fa024b5668ed7dde681e99547d41e6a864Lennart Poettering</pre>

a74a8793b04de9886b4f6987b9cb86fa02c73520Lennart Poettering<p>

3040728b6691ea2e9df3a2060e2d49a792bbaedaLennart Poettering External (bastion host) DNS server config:

a74a8793b04de9886b4f6987b9cb86fa02c73520Lennart Poettering </p>

73090dc815390f4fca4e3ed8a7e1d3806605daaaLennart Poettering<pre class="programlisting">

44143309dd0b37d61d7d842ca58f01a65646ec71Kay Sieversacl internals { 172.16.72.0/24; 192.168.1.0/24; };

3d57c6ab801f4437f12948e29589e3d00c3ad9dbLennart Poettering

71092d70af35567dd154d3de2ce04ce62e157a7cLennart Poetteringacl externals { bastion-ips-go-here; };

3f7a8c4e9f1d3ce48919e24eb2c9d56dd6fd88d8Kay Sievers

260abb780a135e4cae8c10715c7e85675efc345aLennart Poetteringoptions {

260abb780a135e4cae8c10715c7e85675efc345aLennart Poettering ...

260abb780a135e4cae8c10715c7e85675efc345aLennart Poettering ...

2791a8f8dc8764a9247cdba3562bd4c04010f144Lennart Poettering // sample allow-transfer (no one)

a8f11321c209830a35edd0357e8def5d4437d854Lennart Poettering allow-transfer { none; };

a8f11321c209830a35edd0357e8def5d4437d854Lennart Poettering // default query access