doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision 983df82baf1d7d0b668c98cf45928a19f175c6e7
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id$ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>Chapter�7.�BIND 9 Security Considerations</title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">�</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="chapter" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="toc">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><b>Table of Contents</b></p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2609545"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2609694">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2609754">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Access Control Lists (ACLs) are address match lists that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          you can set up and nickname for future use in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">allow-notify</strong></span>, <span><strong class="command">allow-query</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">allow-query-on</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">match-clients</strong></span>, etc.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Using ACLs allows you to have finer control over who can access
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          your name server, without cluttering up your config files with huge
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          lists of IP addresses.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          control access to your server. Limiting access to your server by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          outside parties can help prevent spoofing and denial of service
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          (DoS) attacks against your server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ACLs match clients on the basis of up to three characteristics:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          1) The client's IP address; 2) the TSIG or SIG(0) key that was
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson          used to sign the request, if any; and 3) an address prefix
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          encoded in an EDNS Client Subnet option, if any.
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson        </p>
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson<p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          Here is an example of ACLs based on client addresses:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<pre class="programlisting">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce// Set up an ACL named "bogusnets" that will block
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce// RFC1918 space and some reserved space, which is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce// commonly used in spoofing attacks.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl bogusnets {
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// Set up an ACL called our-nets. Replace this with the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// real IP numbers.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinacl our-nets { x.x.x.x/24; x.x.x.x/21; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinoptions {
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  ...
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  ...
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  allow-query { our-nets; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  allow-recursion { our-nets; };
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson  ...
575e532437cf7f203707765e21767db92fa1e480Mark Andrews  blackhole { bogusnets; };
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson  ...
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "example.com" {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  file "m/example.com";
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  allow-query { any; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</pre>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          This allows authoritative queries for "example.com" from any
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          address, but recursive queries only from the networks specified
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          in "our-nets", and no queries at all from the networks
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          specified in "bogusnets".
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          In addition to network addresses and prefixes, which are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          matched against the source address of the DNS request, ACLs
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          may include <code class="option">key</code> elements, which specify the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          elements, which specify a network prefix but are only matched
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          if that prefix matches an EDNS client subnet option included
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          in the request.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          The EDNS Client Subnet (ECS) option is used by a recursive
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          resolver to inform an authoritative name server of the network
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          address block from which the original query was received, enabling
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          authoritative servers to give different answers to the same
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          resolver for different resolver clients.  An ACL containing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          an element of the form
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">ecs <em class="replaceable"><code>prefix</code></em></strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          will match if a request arrives in containing an ECS option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          encoding an address within that prefix.  If the request has no
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ECS option, then "ecs" elements are simply ignored.  Addresses
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          in ACLs that are not prefixed with "ecs" are matched only
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          against the source address.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ACLs can also be used for geographic access restrictions.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This is done by specifying an ACL element of the form:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The <em class="replaceable"><code>field</code></em> indicates which field
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          to search for a match.  Available fields are "country",
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          "region", "city", "continent", "postal" (postal code),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          "metro" (metro code), "area" (area code), "tz" (timezone),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          "isp", "org", "asnum", "domain" and "netspeed".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <em class="replaceable"><code>value</code></em> is the value to search
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          for within the database.  A string may be quoted if it
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          contains spaces or other special characters.  If this is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          an "asnum" search, then the leading "ASNNNN" string can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          used, otherwise the full description must be used (e.g.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          "ASNNNN Example Company Name").  If this is a "country"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          search and the string is two characters long, then it must
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          be a standard ISO-3166-1 two-letter country code, and if it
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          is three characters long then it must be an ISO-3166-1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          three-letter country code; otherwise it is the full name
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          of the country.  Similarly, if this is a "region" search
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          and the string is two characters long, then it must be a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          standard two-letter state or province abbreviation;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          otherwise it is the full name of the state or province.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The <em class="replaceable"><code>database</code></em> field indicates which
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          GeoIP database to search for a match.  In most cases this is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          unnecessary, because most search fields can only be found in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          a single database.  However, searches for country can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          answered from the "city", "region", or "country" databases,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          and searches for region (i.e., state or province) can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          answered from the "city" or "region" databases.  For these
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          search types, specifying a <em class="replaceable"><code>database</code></em>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          will force the query to be answered from that database and no
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          other.  If <em class="replaceable"><code>database</code></em> is not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          specified, then these queries will be answered from the "city",
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          database if it is installed, or the "region" database if it is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          installed, or the "country" database, in that order.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          By default, if a DNS query includes an EDNS Client Subnet (ECS)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          option which encodes a non-zero address prefix, then GeoIP ACLs
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          will be matched against that address prefix.  Otherwise, they
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          are matched against the source address of the query.  To
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          prevent GeoIP ACLs from matching against ECS options, set
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the <span><strong class="command">geoip-use-ecs</strong></span> to <code class="literal">no</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Some example GeoIP ACLs:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">geoip country US;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip country JAP;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip db country country Canada;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip db region region WA;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip city "San Francisco";
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip region Oklahoma;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip postal 95062;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip tz "America/Los_Angeles";
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip org "Internet Systems Consortium";
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ACLs use a "first-match" logic rather than "best-match":
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          if an address prefix matches an ACL element, then that ACL
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          is considered to have matched even if a later element would
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          have matched more specifically.  For example, the ACL
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command"> { 10/8; !10.0.0.1; }</strong></span> would actually
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          match a query from 10.0.0.1, because the first element
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          indicated that the query should be accepted, and the second
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          element is ignored.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          When using "nested" ACLs (that is, ACLs included or referenced
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          within other ACLs), a negative match of a nested ACL will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the containing ACL to continue looking for matches.  This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          enables complex ACLs to be constructed, in which multiple
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          client characteristics can be checked at the same time. For
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          example, to construct an ACL which allows queries only when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          it originates from a particular network <span class="emphasis"><em>and</em></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          only when it is signed with a particular key, use:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinallow-query { !{ !10/8; any; }; key example; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Within the nested ACL, any address that is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          be rejected, and this will terminate processing of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ACL.  Any address that <span class="emphasis"><em>is</em></span> in the 10/8
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          network prefix will be accepted, but this causes a negative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          match of the nested ACL, so the containing ACL continues
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          processing. The query will then be accepted if it is signed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          by the key "example", and rejected otherwise.  The ACL, then,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          will only matches when <span class="emphasis"><em>both</em></span> conditions
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          are true.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2609545"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          in a <span class="emphasis"><em>chrooted</em></span> environment (using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the <span><strong class="command">chroot()</strong></span> function) by specifying
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the <code class="option">-t</code> option for <span><strong class="command">named</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This can help improve system security by placing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the damage done if a server is compromised.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          user 202:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2609694"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            In order for a <span><strong class="command">chroot</strong></span> environment
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            work properly in a particular directory
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            (for example, <code class="filename">/var/named</code>),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            you will need to set up an environment that includes everything
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <acronym class="acronym">BIND</acronym> needs to run.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the root of the filesystem.  You will need to adjust the values of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            options like
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            for this.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Unlike with earlier versions of BIND, you typically will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            statically nor install shared libraries under the new root.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            However, depending on your operating system, you may need
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to set up things like
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/dev/zero</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/dev/random</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/dev/log</code>, and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/etc/localtime</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2609754"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Prior to running the <span><strong class="command">named</strong></span> daemon,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            use
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the <span><strong class="command">touch</strong></span> utility (to change file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            access and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            modification times) or the <span><strong class="command">chown</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            utility (to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            set the user id and/or group id) on files
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to which you want <acronym class="acronym">BIND</acronym>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to write.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h3 class="title">Note</h3>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Note that if the <span><strong class="command">named</strong></span> daemon is running as an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            unprivileged user, it will not be able to bind to new restricted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            ports if the server is reloaded.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Access to the dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          update facility should be strictly limited.  In earlier versions of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <acronym class="acronym">BIND</acronym>, the only way to do this was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          based on the IP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          address of the host requesting the update, by listing an IP address
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          network prefix in the <span><strong class="command">allow-update</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          zone option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This method is insecure since the source address of the update UDP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          packet
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          is easily forged.  Also note that if the IP addresses allowed by the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">allow-update</strong></span> option include the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          address of a slave
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          server which performs forwarding of dynamic updates, the master can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          trivially attacked by sending the update to the slave, which will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          forward it to the master with its own source IP address causing the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          master to approve it without question.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          For these reasons, we strongly recommend that updates be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          cryptographically authenticated by means of transaction signatures
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          option should
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          list only TSIG key names, not IP addresses or network
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          option can be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Some sites choose to keep all dynamically-updated DNS data
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          in a subdomain and delegate that subdomain to a separate zone. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          way, the top-level zone containing critical data such as the IP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          addresses
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          of public web and mail servers need not allow dynamic update at
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          all.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navfooter">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation footer">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center">�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</body>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein