doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision 1fa26403d7679235a30fbf6289f68fed5872df30
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<HTML
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews><HEAD
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews><TITLE
72cbea34c935116215846c88a94a3c21ec8c1827Mark Andrews>BIND 9 Security Considerations</TITLE
4e3c7a22ea3219f680e09540ee12bb326fc2ccedMark Andrews><META
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark AndrewsNAME="GENERATOR"
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark AndrewsCONTENT="Modular DocBook HTML Stylesheet Version 1.73
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark Andrews"><LINK
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsREL="HOME"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonTITLE="BIND 9 Administrator Reference Manual"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonHREF="Bv9ARM.html"><LINK
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsREL="PREVIOUS"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonTITLE="BIND 9 Configuration Reference"
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark AndrewsHREF="Bv9ARM.ch06.html"><LINK
c718d15a9a95054ee3c71540c02335426071fc6dMark AndrewsREL="NEXT"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsTITLE="Troubleshooting"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsHREF="Bv9ARM.ch08.html"></HEAD
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews><BODY
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="chapter"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsBGCOLOR="#FFFFFF"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsTEXT="#000000"
c718d15a9a95054ee3c71540c02335426071fc6dMark AndrewsLINK="#0000FF"
c718d15a9a95054ee3c71540c02335426071fc6dMark AndrewsVLINK="#840084"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsALINK="#0000FF"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews><DIV
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonCLASS="NAVHEADER"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews><TABLE
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark AndrewsSUMMARY="Header navigation table"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonWIDTH="100%"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark AndrewsBORDER="0"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCELLPADDING="0"
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark AndrewsCELLSPACING="0"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews><TR
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews><TH
c6d4f781529d2f28693546b25b2967d44ec89e60Mark AndrewsCOLSPAN="3"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsALIGN="center"
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews>BIND 9 Administrator Reference Manual</TH
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews></TR
4038ab55037184d76153afd3c469aa8c85adf85dMark Andrews><TR
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews><TD
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsWIDTH="10%"
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark AndrewsALIGN="left"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsVALIGN="bottom"
ede29aeb412c5448ab9a2028763ae08e7887ca74Mark Andrews><A
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark AndrewsHREF="Bv9ARM.ch06.html"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsACCESSKEY="P"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews>Prev</A
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson></TD
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews><TD
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark AndrewsWIDTH="80%"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonALIGN="center"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark AndrewsVALIGN="bottom"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews></TD
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson><TD
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark AndrewsWIDTH="10%"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonALIGN="right"
26a77b80bb7ee886c6fa704348d5e80a011d8811Mark AndrewsVALIGN="bottom"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews><A
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark AndrewsHREF="Bv9ARM.ch08.html"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsACCESSKEY="N"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>Next</A
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews></TD
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews></TR
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews></TABLE
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews><HR
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsALIGN="LEFT"
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsWIDTH="100%"></DIV
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews><DIV
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonCLASS="chapter"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews><H1
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews><A
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonNAME="ch07"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews>Chapter 7. <SPAN
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonCLASS="acronym"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews>BIND</SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> 9 Security Considerations</A
c25080dc50542213058c240226c9f342186e6285Mark Andrews></H1
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><DIV
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark AndrewsCLASS="TOC"
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews><DL
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews><DT
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews><B
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>Table of Contents</B
413988c8166976498250c0ebb2e3a645d0366bd3Mark Andrews></DT
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews><DT
c25080dc50542213058c240226c9f342186e6285Mark Andrews>7.1. <A
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsHREF="Bv9ARM.ch07.html#Access_Control_Lists"
413988c8166976498250c0ebb2e3a645d0366bd3Mark Andrews>Access Control Lists</A
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews></DT
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><DT
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>7.2. <A
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsHREF="Bv9ARM.ch07.html#AEN4651"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><B
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsCLASS="command"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>chroot</B
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews> and <B
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsCLASS="command"
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews>setuid</B
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews> (for
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsUNIX servers)</A
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews></DT
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><DT
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>7.3. <A
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsHREF="Bv9ARM.ch07.html#dynamic_update_security"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>Dynamic Update Security</A
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews></DT
c25080dc50542213058c240226c9f342186e6285Mark Andrews></DL
413988c8166976498250c0ebb2e3a645d0366bd3Mark Andrews></DIV
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><DIV
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsCLASS="sect1"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><H1
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsCLASS="sect1"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><A
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsNAME="Access_Control_Lists"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>7.1. Access Control Lists</A
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews></H1
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><P
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>Access Control Lists (ACLs), are address match lists that
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewsyou can set up and nickname for future use in <B
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsCLASS="command"
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews>allow-notify</B
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<B
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark AndrewsCLASS="command"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>allow-query</B
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>, <B
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark AndrewsCLASS="command"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>allow-recursion</B
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews>,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<B
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsCLASS="command"
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews>blackhole</B
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews>, <B
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsCLASS="command"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>allow-transfer</B
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonetc.</P
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews><P
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>Using ACLs allows you to have finer control over who can access
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrewsyour name server, without cluttering up your config files with huge
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrewslists of IP addresses.</P
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews><P
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews>It is a <SPAN
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark AndrewsCLASS="emphasis"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson><I
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark AndrewsCLASS="emphasis"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>good idea</I
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews></SPAN
7c40ffd67bd1e73907f83a79a6ff8c635f4a4a74Mark Andrews> to use ACLs, and to
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrewscontrol access to your server. Limiting access to your server by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonoutside parties can help prevent spoofing and DoS attacks against
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewsyour server.</P
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews><P
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews>Here is an example of how to properly apply ACLs:</P
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews><PRE
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="programlisting"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews>&#13;// Set up an ACL named "bogusnets" that will block RFC1918 space,
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson// which is commonly used in spoofing attacks.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrewsacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington// Set up an ACL called our-nets. Replace this with the real IP numbers.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewsacl our-nets { x.x.x.x/24; x.x.x.x/21; };
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrewsoptions {
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews  ...
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews  ...
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews  allow-query { our-nets; };
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews  allow-recursion { our-nets; };
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews  ...
5752b9e296f14034f103149f18188770c2cc5239Mark Andrews  blackhole { bogusnets; };
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews  ...
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews};
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewszone "example.com" {
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews  type master;
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews  file "m/example.com";
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews  allow-query { any; };
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson};
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews</PRE
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><P
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>This allows recursive queries of the server from the outside
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrewsunless recursion has been previously disabled.</P
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews><P
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson>For more information on how to use ACLs to protect your server,
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrewssee the <SPAN
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="emphasis"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews><I
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonCLASS="emphasis"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews>AUSCERT</I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> advisory at
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<A
eaccf5e805405de257b5a4840256c580fefe00e3Mark AndrewsHREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsTARGET="_top"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews></P
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews></DIV
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><DIV
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsCLASS="sect1"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><H1
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="sect1"
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews><A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonNAME="AEN4651"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>7.2. <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>chroot</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> and <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>setuid</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> (for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonUNIX servers)</A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></H1
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>On UNIX servers, it is possible to run <SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="acronym"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>BIND</SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> in a <SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>chrooted</I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> environment
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington(<B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>chroot()</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>) by specifying the "<TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="option"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>-t</TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonoption. This can help improve system security by placing <SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="acronym"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>BIND</SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtona "sandbox", which will limit the damage done if a server is compromised.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Another useful feature in the UNIX version of <SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="acronym"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>BIND</SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> is the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonability to run the daemon as an unprivileged user ( <TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="option"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>-u</TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> <TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="replaceable"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>user</I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> ).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonWe suggest running as an unprivileged user when using the <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>chroot</B
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews> feature.</P
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews><P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Here is an example command line to load <SPAN
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian WellingtonCLASS="acronym"
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington>BIND</SPAN
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington> in a <B
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian WellingtonCLASS="command"
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington>chroot()</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> sandbox,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<B
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian WellingtonCLASS="command"
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington>/var/named</B
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington>, and to run <B
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark AndrewsCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>named</B
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews> <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>setuid</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonuser 202:</P
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews><P
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><TT
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsCLASS="userinput"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><B
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>/usr/local/bin/named -u 202 -t /var/named</B
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews></TT
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews></P
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews><DIV
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="sect2"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><H2
eaccf5e805405de257b5a4840256c580fefe00e3Mark AndrewsCLASS="sect2"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews><A
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsNAME="AEN4674"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>7.2.1. The <B
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="command"
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews>chroot</B
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews> Environment</A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></H2
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews><P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>In order for a <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>chroot()</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> environment to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonwork properly in a particular directory
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington(for example, <TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>/var/named</TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonyou will need to set up an environment that includes everything
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="acronym"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>BIND</SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> needs to run.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonFrom <SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="acronym"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>BIND</SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>'s point of view, <TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>/var/named</TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonthe root of the filesystem.  You will need to adjust the values of options like
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrewslike <B
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>directory</B
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews> and <B
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="command"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>pid-file</B
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews> to account
068a66979695c77359e7a9181bb3f831c965b21cMark Andrewsfor this.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</P
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews><P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>&#13;Unlike with earlier versions of BIND, you will typically
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>not</I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> need to compile <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>named</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonstatically nor install shared libraries under the new root.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonHowever, depending on your operating system, you may need
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonto set up things like
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>/dev/zero</TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>/dev/random</TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews>/dev/log</TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>, and/or
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>/etc/localtime</TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></DIV
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><DIV
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="sect2"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><H2
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="sect2"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews><A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonNAME="AEN4692"
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews>7.2.2. Using the <B
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="command"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>setuid</B
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews> Function</A
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews></H2
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews><P
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>Prior to running the <B
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="command"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>named</B
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews> daemon, use
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonthe <B
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark AndrewsCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>touch</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> utility (to change file access and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonmodification times) or the <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>chown</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> utility (to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonset the user id and/or group id) on files
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonto which you want <SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="acronym"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>BIND</SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonto write.  Note that if the <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>named</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> daemon is running as an
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonunprivileged user, it will not be able to bind to new restricted ports if the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonserver is reloaded.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></DIV
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></DIV
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><DIV
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="sect1"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><H1
bf54ac86eeddce16b67c525d38d1096cc956f478Mark AndrewsCLASS="sect1"
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews><A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonNAME="dynamic_update_security"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>7.3. Dynamic Update Security</A
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews></H1
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews><P
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews>Access to the dynamic
068a66979695c77359e7a9181bb3f831c965b21cMark Andrewsupdate facility should be strictly limited.  In earlier versions of
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<SPAN
eaccf5e805405de257b5a4840256c580fefe00e3Mark AndrewsCLASS="acronym"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>BIND</SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> the only way to do this was based on the IP
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewsaddress of the host requesting the update, by listing an IP address or
068a66979695c77359e7a9181bb3f831c965b21cMark Andrewsnetwork prefix in the <B
eaccf5e805405de257b5a4840256c580fefe00e3Mark AndrewsCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>allow-update</B
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews> zone option.
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsThis method is insecure since the source address of the update UDP packet
068a66979695c77359e7a9181bb3f831c965b21cMark Andrewsis easily forged.  Also note that if the IP addresses allowed by the
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<B
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian WellingtonCLASS="command"
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington>allow-update</B
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews> option include the address of a slave
83a810eba60ae87341a2d177ff60d834e26d7a90Mark Andrewsserver which performs forwarding of dynamic updates, the master can be
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellingtontrivially attacked by sending the update to the slave, which will
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrewsforward it to the master with its own source IP address causing the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrewsmaster to approve it without question.</P
2bef3713093349af52ba61eaab07adf3207da873Mark Andrews><P
2bef3713093349af52ba61eaab07adf3207da873Mark Andrews>For these reasons, we strongly recommend that updates be
2bef3713093349af52ba61eaab07adf3207da873Mark Andrewscryptographically authenticated by means of transaction signatures
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews(TSIG).  That is, the <B
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark AndrewsCLASS="command"
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews>allow-update</B
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews> option should
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewslist only TSIG key names, not IP addresses or network
83a810eba60ae87341a2d177ff60d834e26d7a90Mark Andrewsprefixes. Alternatively, the new <B
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark AndrewsCLASS="command"
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews>update-policy</B
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewsoption can be used.</P
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews><P
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews>Some sites choose to keep all dynamically updated DNS data
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewsin a subdomain and delegate that subdomain to a separate zone. This
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewsway, the top-level zone containing critical data such as the IP addresses
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewsof public web and mail servers need not allow dynamic update at
068a66979695c77359e7a9181bb3f831c965b21cMark Andrewsall.</P
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews></DIV
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews></DIV
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews><DIV
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark AndrewsCLASS="NAVFOOTER"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><HR
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsALIGN="LEFT"
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark AndrewsWIDTH="100%"><TABLE
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsSUMMARY="Footer navigation table"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonWIDTH="100%"
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsBORDER="0"
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark AndrewsCELLPADDING="0"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCELLSPACING="0"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews><TR
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews><TD
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsWIDTH="33%"
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsALIGN="left"
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsVALIGN="top"
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews><A
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark AndrewsHREF="Bv9ARM.ch06.html"
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark AndrewsACCESSKEY="P"
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews>Prev</A
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews></TD
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews><TD
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark AndrewsWIDTH="34%"
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark AndrewsALIGN="center"
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark AndrewsVALIGN="top"
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews><A
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark AndrewsHREF="Bv9ARM.html"
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark AndrewsACCESSKEY="H"
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews>Home</A
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews></TD
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews><TD
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark AndrewsWIDTH="33%"
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark AndrewsALIGN="right"
48b492d73ae5328c5efef4b9e0f22063e0ab058aMark AndrewsVALIGN="top"
48b492d73ae5328c5efef4b9e0f22063e0ab058aMark Andrews><A
48b492d73ae5328c5efef4b9e0f22063e0ab058aMark AndrewsHREF="Bv9ARM.ch08.html"
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsACCESSKEY="N"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>Next</A
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews></TD
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></TR
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews><TR
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews><TD
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark AndrewsWIDTH="33%"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonALIGN="left"
ca9a8f6d0b0f2a400a96f868193471510364336fMark AndrewsVALIGN="top"
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews><SPAN
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark AndrewsCLASS="acronym"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>BIND</SPAN
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews> 9 Configuration Reference</TD
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews><TD
854b0d831e45a90211917e3a49f40d10c4a2ee79Mark AndrewsWIDTH="34%"
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark AndrewsALIGN="center"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonVALIGN="top"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>&nbsp;</TD
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews><TD
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsWIDTH="33%"
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsALIGN="right"
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark AndrewsVALIGN="top"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>Troubleshooting</TD
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews></TR
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></TABLE
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews></DIV
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></BODY
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews></HTML
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>