Bv9ARM.ch04.html revision d8e3f8e0c78f59451120afe9f0c5a40fae780930
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley - Permission to use, copy, modify, and distribute this software for any
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley - purpose with or without fee is hereby granted, provided that the above
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley - copyright notice and this permission notice appear in all copies.
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley - PERFORMANCE OF THIS SOFTWARE.
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<!-- $Id: Bv9ARM.ch04.html,v 1.80 2007/10/31 01:36:29 marka Exp $ -->
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<title>Chapter�4.�Advanced DNS Features</title>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
828a5beda384130d5e2913dadd862924c53405bfAndreas Gustafsson<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
828a5beda384130d5e2913dadd862924c53405bfAndreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<table width="100%" summary="Navigation header">
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<div class="titlepage"><div><div><h2 class="title">
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
5fbced719b71e659322b4ce3e4a39c9b039674c7Bob Halley<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
81e92fbafaa07bd8ccbbeb4b5926d548b5c4560eDavid Lawrence<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570658">Split DNS</a></span></dt>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570676">Example split DNS setup</a></span></dt></dl></dd>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571111">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571185">Copying the Shared Secret to Both Machines</a></span></dt>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571195">Informing the Servers of the Key's Existence</a></span></dt>
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571235">Instructing the Server to Use the Key</a></span></dt>
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571429">TSIG Key Based Access Control</a></span></dt>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571474">Errors</a></span></dt>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571488">TKEY</a></span></dt>
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571673">SIG(0)</a></span></dt>
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
19ba7857f6bf38619eda1f1dae0eb05a6cdd2b77Bob Halley<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571741">Generating Keys</a></span></dt>
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571811">Signing the Zone</a></span></dt>
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571890">Configuring Servers</a></span></dt>
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572033">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572231">Address Lookups Using AAAA Records</a></span></dt>
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572252">Address to Name Lookups Using Nibble Format</a></span></dt>
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence<div class="titlepage"><div><div><h2 class="title" style="clear: both">
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley<a name="notify"></a>Notify</h2></div></div></div>
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence servers to notify their slave servers of changes to a zone's data. In
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence slave will check to see that its version of the zone is the
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence current version and, if not, initiate a zone transfer.
19ba7857f6bf38619eda1f1dae0eb05a6cdd2b77Bob Halley For more information about <acronym class="acronym">DNS</acronym>
19ba7857f6bf38619eda1f1dae0eb05a6cdd2b77Bob Halley <span><strong class="command">NOTIFY</strong></span>, see the description of the
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence the description of the zone option <span><strong class="command">also-notify</strong></span> in
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence protocol is specified in RFC 1996.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley As a slave zone can also be a master to other slaves, named,
efd6c944a4ebd3fb65dc39f9172d322198b2b1d3Bob Halley by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
efd6c944a4ebd3fb65dc39f9172d322198b2b1d3Bob Halley it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley zones that it loads.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence<div class="titlepage"><div><div><h2 class="title" style="clear: both">
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence Dynamic Update is a method for adding, replacing or deleting
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence records in a master server by sending it a special form of DNS
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence messages. The format and meaning of these messages is specified
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley Dynamic update is enabled by including an
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley <span><strong class="command">allow-update</strong></span> or <span><strong class="command">update-policy</strong></span>
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley clause in the <span><strong class="command">zone</strong></span> statement. The
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley <span><strong class="command">tkey-gssapi-credential</strong></span> and
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley <span><strong class="command">tkey-domain</strong></span> clauses in the
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley <span><strong class="command">options</strong></span> statement enable the
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley server to negotiate keys that can be matched against those
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley in <span><strong class="command">update-policy</strong></span> or
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley <span><strong class="command">allow-update</strong></span>.
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley Updating of secure zones (zones using DNSSEC) follows
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley RFC 3007: RRSIG and NSEC records affected by updates are automatically
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley regenerated by the server using an online zone key.
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley Update authorization is based
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley on transaction signatures and an explicit server policy.
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley<div class="titlepage"><div><div><h3 class="title">
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley<a name="journal"></a>The journal file</h3></div></div></div>
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley All changes made to a zone using dynamic update are stored
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley in the zone's journal file. This file is automatically created
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley by the server when the first dynamic update takes place.
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley The name of the journal file is formed by appending the extension
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley <code class="filename">.jnl</code> to the name of the
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley corresponding zone
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley file unless specifically overridden. The journal file is in a
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley binary format and should not be edited manually.
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley The server will also occasionally write ("dump")
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley the complete contents of the updated zone to its zone file.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence This is not done immediately after
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence each dynamic update, because that would be too slow when a large
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence zone is updated frequently. Instead, the dump is delayed by
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence up to 15 minutes, allowing additional updates to take place.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence When a server is restarted after a shutdown or crash, it will replay
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence the journal file to incorporate into the zone any updates that
19ba7857f6bf38619eda1f1dae0eb05a6cdd2b77Bob Halley place after the last zone dump.
19ba7857f6bf38619eda1f1dae0eb05a6cdd2b77Bob Halley Changes that result from incoming incremental zone transfers are
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence journalled in a similar way.
19ba7857f6bf38619eda1f1dae0eb05a6cdd2b77Bob Halley The zone files of dynamic zones cannot normally be edited by
19ba7857f6bf38619eda1f1dae0eb05a6cdd2b77Bob Halley hand because they are not guaranteed to contain the most recent
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence dynamic changes — those are only in the journal file.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence The only way to ensure that the zone file of a dynamic zone
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence is up to date is to run <span><strong class="command">rndc stop</strong></span>.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence If you have to make changes to a dynamic zone
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence manually, the following procedure will work: Disable dynamic updates
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence to the zone using
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence This will also remove the zone's <code class="filename">.jnl</code> file
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence and update the master file. Edit the zone file. Run
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence to reload the changed zone and re-enable dynamic updates.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence<div class="titlepage"><div><div><h2 class="title" style="clear: both">
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence The incremental zone transfer (IXFR) protocol is a way for
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence slave servers to transfer only changed data, instead of having to
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence transfer the entire zone. The IXFR protocol is specified in RFC
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence When acting as a master, <acronym class="acronym">BIND</acronym> 9
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence supports IXFR for those zones
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence where the necessary change history information is available. These
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence include master zones maintained by dynamic update and slave zones
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence whose data was obtained by IXFR. For manually maintained master
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence zones, and for slave zones obtained by performing a full zone
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence transfer (AXFR), IXFR is supported only if the option
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence <span><strong class="command">ixfr-from-differences</strong></span> is set
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence to <strong class="userinput"><code>yes</code></strong>.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley attempt to use IXFR unless
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley it is explicitly disabled. For more information about disabling
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence of the <span><strong class="command">server</strong></span> statement.
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley<div class="titlepage"><div><div><h2 class="title" style="clear: both">
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley<a name="id2570658"></a>Split DNS</h2></div></div></div>
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence Setting up different views, or visibility, of the DNS space to
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence internal and external resolvers is usually referred to as a
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley <span class="emphasis"><em>Split DNS</em></span> setup. There are several
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson reasons an organization would want to set up its DNS this way.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence One common reason for setting up a DNS system this way is
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley to hide "internal" DNS information from "external" clients on the
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence Internet. There is some debate as to whether or not this is actually
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence Internal DNS information leaks out in many ways (via email headers,
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence for example) and most savvy "attackers" can find the information
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence they need using other means.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence However, since listing addresses of internal servers that
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence external clients cannot possibly reach can result in
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence connection delays and other annoyances, an organization may
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence choose to use a Split DNS to present a consistent view of itself
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence to the outside world.
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence Another common reason for setting up a Split DNS system is
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence to allow internal networks that are behind filters or in RFC 1918
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence space (reserved IP space, as documented in RFC 1918) to resolve DNS
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence on the Internet. Split DNS can also be used to allow mail from outside
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley back in to the internal network.
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson<a name="id2570676"></a>Example split DNS setup</h3></div></div></div>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson (<code class="literal">example.com</code>)
5a6e6c2c9b2f6cf426aa2a682aa800765e26d540Andreas Gustafsson has several corporate sites that have an internal network with
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley Internet Protocol (IP) space and an external demilitarized zone (DMZ),
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence or "outside" section of a network, that is available to the public.
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley to be able to resolve external hostnames and to exchange mail with
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley people on the outside. The company also wants its internal resolvers
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence to have access to certain internal-only zones that are not available
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley at all outside of the internal network.
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley In order to accomplish this, the company will set up two sets
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley of name servers. One set will be on the inside network (in the
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley IP space) and the other set will be on bastion hosts, which are
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley hosts that can talk to both sides of its network, in the DMZ.
59a6d9cbcdbec6960d47e5871fb7e7c0253e1fb2Mark Andrews The internal servers will be configured to forward all queries,
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence and <code class="filename">site2.example.com</code>, to the servers
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence DMZ. These internal servers will have complete sets of information
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em></em></span> <code class="filename">site1.internal</code>,
4b598d8ae578861d5f3fc1333c9f84c9c9c8be7cDavid Lawrence and <code class="filename">site2.internal</code>.
To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
zone "site1.example.com" { // sample master zone
zone "site2.example.com" { // sample slave zone
zone "site1.internal" {
zone "site2.internal" {
zone "site1.example.com" { // sample slave zone
zone "site2.example.com" {
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
<strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
both servers. The following is added to each server's <code class="filename">named.conf</code> file:
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
that the tools shipped with BIND 9.2.x and earlier are not compatible
<strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
<a name="id2572033"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.