doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision b5e4e4da43461f416b19d52ec047495e6960579d
436aad11e01e916f75e68a2e9cb89ac217a990d3Tinderbox User<HTML
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater><HEAD
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User><TITLE
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User>BIND 9 Security Considerations</TITLE
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User><META
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox UserNAME="GENERATOR"
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox UserCONTENT="Modular DocBook HTML Stylesheet Version 1.73
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews"><LINK
1f4c645185bd8fc70048e0a69eee46193a284e5cTinderbox UserREL="HOME"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsTITLE="BIND 9 Administrator Reference Manual"
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox UserHREF="Bv9ARM.html"><LINK
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox UserREL="PREVIOUS"
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox UserTITLE="BIND 9 Configuration Reference"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsHREF="Bv9ARM.ch06.html"><LINK
e676a596869d8a80a644c99a848afb53d1c5975eMark AndrewsREL="NEXT"
e676a596869d8a80a644c99a848afb53d1c5975eMark AndrewsTITLE="Troubleshooting"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsHREF="Bv9ARM.ch08.html"></HEAD
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews><BODY
a7c412f37cc73d0332887a746e81220cbf09dd00Mark AndrewsCLASS="chapter"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsBGCOLOR="#FFFFFF"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsTEXT="#000000"
e676a596869d8a80a644c99a848afb53d1c5975eMark AndrewsLINK="#0000FF"
e676a596869d8a80a644c99a848afb53d1c5975eMark AndrewsVLINK="#840084"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsALINK="#0000FF"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User><DIV
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="NAVHEADER"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User><TABLE
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsSUMMARY="Header navigation table"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserWIDTH="100%"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsBORDER="0"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserCELLPADDING="0"
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark AndrewsCELLSPACING="0"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><TR
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User><TH
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCOLSPAN="3"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserALIGN="center"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>BIND 9 Administrator Reference Manual</TH
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User></TR
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><TR
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User><TD
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsWIDTH="10%"
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox UserALIGN="left"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsVALIGN="bottom"
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt><A
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox UserHREF="Bv9ARM.ch06.html"
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox UserACCESSKEY="P"
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt>Prev</A
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater></TD
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User><TD
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic UpdaterWIDTH="80%"
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan HuntALIGN="center"
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox UserVALIGN="bottom"
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User></TD
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt><TD
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox UserWIDTH="10%"
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic UpdaterALIGN="right"
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic UpdaterVALIGN="bottom"
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater><A
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsHREF="Bv9ARM.ch08.html"
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic UpdaterACCESSKEY="N"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>Next</A
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews></TD
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews></TR
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews></TABLE
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater><HR
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsALIGN="LEFT"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsWIDTH="100%"></DIV
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User><DIV
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="chapter"
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater><H1
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><A
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark AndrewsNAME="ch07"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>Chapter 7. <SPAN
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="acronym"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>BIND</SPAN
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews> 9 Security Considerations</A
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt></H1
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt><DIV
2ae159b376dac23870d8005563c585acf85a4b5aEvan HuntCLASS="TOC"
95637507c3d47481fbf0a8a8c750a57f944f677fMark Andrews><DL
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt><DT
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt><B
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt>Table of Contents</B
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt></DT
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt><DT
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt>7.1. <A
2ae159b376dac23870d8005563c585acf85a4b5aEvan HuntHREF="Bv9ARM.ch07.html#Access_Control_Lists"
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User>Access Control Lists</A
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews></DT
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews><DT
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User>7.2. <A
27739dd25026283c24645c8a1044b95ef9eb5ac6Tinderbox UserHREF="Bv9ARM.ch07.html#AEN4675"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews><B
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox UserCLASS="command"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>chroot</B
7a6494cfb6cc7d3f67af07359561e05e6bb8c0edTinderbox User> and <B
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox UserCLASS="command"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>setuid</B
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User> (for
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsUNIX servers)</A
7a6494cfb6cc7d3f67af07359561e05e6bb8c0edTinderbox User></DT
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User><DT
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>7.3. <A
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserHREF="Bv9ARM.ch07.html#dynamic_update_security"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson>Dynamic Update Security</A
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User></DT
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews></DL
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User></DIV
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><DIV
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserCLASS="sect1"
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews><H1
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="sect1"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User><A
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsNAME="Access_Control_Lists"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User>7.1. Access Control Lists</A
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson></H1
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User><P
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>Access Control Lists (ACLs), are address match lists that
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox Useryou can set up and nickname for future use in <B
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="command"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User>allow-notify</B
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson>,
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<B
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="command"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User>allow-query</B
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>, <B
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark AndrewsCLASS="command"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>allow-recursion</B
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews>,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<B
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox UserCLASS="command"
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews>blackhole</B
fd972434c29fc1169d66594e4cc7697d33036c2bTinderbox User>, <B
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox UserCLASS="command"
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User>allow-transfer</B
fd972434c29fc1169d66594e4cc7697d33036c2bTinderbox User>,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupontetc.</P
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews><P
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>Using ACLs allows you to have finer control over who can access
2a31bd531072824ef252c18303859d6af7451b00Francis Dupontyour name server, without cluttering up your config files with huge
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewslists of IP addresses.</P
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews><P
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>It is a <SPAN
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="emphasis"
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews><I
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsCLASS="emphasis"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>good idea</I
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews></SPAN
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews> to use ACLs, and to
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrewscontrol access to your server. Limiting access to your server by
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrewsoutside parties can help prevent spoofing and DoS attacks against
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrewsyour server.</P
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews><P
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User>Here is an example of how to properly apply ACLs:</P
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews><PRE
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="programlisting"
e20788e1216ed720aefa84f3295f7899d9f28c22Mark Andrews>&#13;// Set up an ACL named "bogusnets" that will block RFC1918 space,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews// which is commonly used in spoofing attacks.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrewsacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews// Set up an ACL called our-nets. Replace this with the real IP numbers.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox Useracl our-nets { x.x.x.x/24; x.x.x.x/21; };
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox Useroptions {
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User  ...
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater  ...
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews  allow-query { our-nets; };
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User  allow-recursion { our-nets; };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews  ...
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User  blackhole { bogusnets; };
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater  ...
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User};
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewszone "example.com" {
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User  type master;
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews  file "m/example.com";
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User  allow-query { any; };
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User};
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User</PRE
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><P
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User>This allows recursive queries of the server from the outside
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsunless recursion has been previously disabled.</P
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User><P
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater>For more information on how to use ACLs to protect your server,
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox Usersee the <SPAN
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="emphasis"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User><I
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="emphasis"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User>AUSCERT</I
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson></SPAN
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User> advisory at
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<A
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserHREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsTARGET="_top"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater></P
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User></DIV
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><DIV
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserCLASS="sect1"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><H1
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserCLASS="sect1"
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater><A
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserNAME="AEN4675"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>7.2. <B
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserCLASS="command"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>chroot</B
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User> and <B
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonCLASS="command"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User>setuid</B
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews> (for
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserUNIX servers)</A
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews></H1
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User><P
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User>On UNIX servers, it is possible to run <SPAN
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserCLASS="acronym"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>BIND</SPAN
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User> in a <SPAN
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="emphasis"
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User><I
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsCLASS="emphasis"
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews>chrooted</I
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews></SPAN
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User> environment
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User(<B
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox UserCLASS="command"
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User>chroot()</B
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User>) by specifying the "<TT
a7c412f37cc73d0332887a746e81220cbf09dd00Mark AndrewsCLASS="option"
7ca715ad1587a68a531ea1cdea07515d7232567eTinderbox User>-t</TT
269519eeb959d905ed125f96426e01d725c3b597Tinderbox User>"
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updateroption. This can help improve system security by placing <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="acronym"
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews>BIND</SPAN
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews> in
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox Usera "sandbox", which will limit the damage done if a server is compromised.</P
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews><P
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>Another useful feature in the UNIX version of <SPAN
91d187ce035f39073f0732ff2a401a45c3c955fbMark AndrewsCLASS="acronym"
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews>BIND</SPAN
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater> is the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterability to run the daemon as an unprivileged user ( <TT
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="option"
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater>-u</TT
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> <TT
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="replaceable"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><I
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater>user</I
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater></TT
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User> ).
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox UserWe suggest running as an unprivileged user when using the <B
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="command"
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater>chroot</B
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> feature.</P
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater><P
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater>Here is an example command line to load <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="acronym"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>BIND</SPAN
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater> in a <B
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox UserCLASS="command"
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews>chroot()</B
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User> sandbox,
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User<B
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox UserCLASS="command"
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews>/var/named</B
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>, and to run <B
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic UpdaterCLASS="command"
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User>named</B
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User> <B
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic UpdaterCLASS="command"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>setuid</B
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews> to
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox Useruser 202:</P
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews><P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater><TT
4fe0411487e8e4401477684c0a2bac041ca7c2d5Tinderbox UserCLASS="userinput"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews><B
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>/usr/local/bin/named -u 202 -t /var/named</B
bf5e2127e92e52cbf661e77dd6a76e5aef43542fTinderbox User></TT
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews></P
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews><DIV
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="sect2"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater><H2
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox UserCLASS="sect2"
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User><A
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterNAME="AEN4698"
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews>7.2.1. The <B
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsCLASS="command"
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User>chroot</B
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User> Environment</A
757ff043760e4743dda1a10e7d58349275934902Tinderbox User></H2
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater><P
6025cbbe8408f4b09d53d5ec1e95cb6da97e0a8dTinderbox User>In order for a <B
e676a596869d8a80a644c99a848afb53d1c5975eMark AndrewsCLASS="command"
757ff043760e4743dda1a10e7d58349275934902Tinderbox User>chroot()</B
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> environment to
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updaterwork properly in a particular directory
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews(for example, <TT
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonCLASS="filename"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>/var/named</TT
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>),
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrewsyou will need to set up an environment that includes everything
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<SPAN
757ff043760e4743dda1a10e7d58349275934902Tinderbox UserCLASS="acronym"
757ff043760e4743dda1a10e7d58349275934902Tinderbox User>BIND</SPAN
4fe0411487e8e4401477684c0a2bac041ca7c2d5Tinderbox User> needs to run.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox UserFrom <SPAN
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox UserCLASS="acronym"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>BIND</SPAN
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews>'s point of view, <TT
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox UserCLASS="filename"
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User>/var/named</TT
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews> is
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox Userthe root of the filesystem.  You will need to adjust the values of options like
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafssonlike <B
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox UserCLASS="command"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>directory</B
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User> and <B
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="command"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>pid-file</B
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews> to account
e31cfd80616deb9781902306b34a69aa7309b6cbTinderbox Userfor this.
7ac34650fa344f42211d6da744ae486b0145a083Tinderbox User</P
4f45d802dc97f12f87e23be2f2e0ba6216e6cea2Tinderbox User><P
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews>&#13;Unlike with earlier versions of BIND, you will typically
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<SPAN
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsCLASS="emphasis"
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews><I
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark AndrewsCLASS="emphasis"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>not</I
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews></SPAN
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews> need to compile <B
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark AndrewsCLASS="command"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>named</B
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrewsstatically nor install shared libraries under the new root.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsHowever, depending on your operating system, you may need
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrewsto set up things like
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<TT
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsCLASS="filename"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>/dev/zero</TT
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater>,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<TT
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsCLASS="filename"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>/dev/random</TT
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<TT
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic UpdaterCLASS="filename"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>/dev/log</TT
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>, and/or
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<TT
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="filename"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>/etc/localtime</TT
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews</P
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews></DIV
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews><DIV
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="sect2"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews><H2
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsCLASS="sect2"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews><A
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsNAME="AEN4716"
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews>7.2.2. Using the <B
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark AndrewsCLASS="command"
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews>setuid</B
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User> Function</A
c5a97a549c89d562e999d4f906b882c5a2a474e1Tinderbox User></H2
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User><P
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews>Prior to running the <B
95c3a5e116c1da135f669c3f15398172fac6279dMark AndrewsCLASS="command"
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User>named</B
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User> daemon, use
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox Userthe <B
d585233c52e283d9a8849f16f04f452419a2484eTinderbox UserCLASS="command"
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User>touch</B
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews> utility (to change file access and
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updatermodification times) or the <B
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="command"
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User>chown</B
757ff043760e4743dda1a10e7d58349275934902Tinderbox User> utility (to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewsset the user id and/or group id) on files
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox Userto which you want <SPAN
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="acronym"
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User>BIND</SPAN
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterto write.  Note that if the <B
7f79131f9a8e804b93c57f3c679065cce878b726Automatic UpdaterCLASS="command"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>named</B
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson> daemon is running as an
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsunprivileged user, it will not be able to bind to new restricted ports if the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsserver is reloaded.</P
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews></DIV
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews></DIV
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><DIV
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark AndrewsCLASS="sect1"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><H1
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="sect1"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><A
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox UserNAME="dynamic_update_security"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>7.3. Dynamic Update Security</A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></H1
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews><P
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews>Access to the dynamic
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrewsupdate facility should be strictly limited.  In earlier versions of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<SPAN
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="acronym"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>BIND</SPAN
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews> the only way to do this was based on the IP
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsaddress of the host requesting the update, by listing an IP address or
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsnetwork prefix in the <B
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsCLASS="command"
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User>allow-update</B
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User> zone option.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsThis method is insecure since the source address of the update UDP packet
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrewsis easily forged.  Also note that if the IP addresses allowed by the
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews<B
a5636b773fa05a272b6876afd99309c0b3090e2fMark AndrewsCLASS="command"
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews>allow-update</B
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews> option include the address of a slave
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox Userserver which performs forwarding of dynamic updates, the master can be
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox Usertrivially attacked by sending the update to the slave, which will
d6317350b1180aa4517f2e8a92fa8fbcbf904ad8Automatic Updaterforward it to the master with its own source IP address causing the
bc0a4c01beede169df81a3ee5b614ed9e82339dbAutomatic Updatermaster to approve it without question.</P
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews><P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>For these reasons, we strongly recommend that updates be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtoncryptographically authenticated by means of transaction signatures
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington(TSIG).  That is, the <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>allow-update</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> option should
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonlist only TSIG key names, not IP addresses or network
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonprefixes. Alternatively, the new <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>update-policy</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonoption can be used.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Some sites choose to keep all dynamically updated DNS data
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonin a subdomain and delegate that subdomain to a separate zone. This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonway, the top-level zone containing critical data such as the IP addresses
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonof public web and mail servers need not allow dynamic update at
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonall.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></DIV
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></DIV
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><DIV
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="NAVFOOTER"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><HR
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonALIGN="LEFT"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonWIDTH="100%"><TABLE
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonSUMMARY="Footer navigation table"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonWIDTH="100%"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonBORDER="0"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCELLPADDING="0"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCELLSPACING="0"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><TR
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><TD
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonWIDTH="33%"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonALIGN="left"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonVALIGN="top"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonHREF="Bv9ARM.ch06.html"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonACCESSKEY="P"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Prev</A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></TD
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><TD
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonWIDTH="34%"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonALIGN="center"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonVALIGN="top"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonHREF="Bv9ARM.html"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonACCESSKEY="H"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Home</A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington></TD
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington><TD
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsWIDTH="33%"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsALIGN="right"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsVALIGN="top"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews><A
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsHREF="Bv9ARM.ch08.html"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark AndrewsACCESSKEY="N"
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews>Next</A
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User></TD
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater></TR
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater><TR
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater><TD
ae7e54b14c946e0984c191554db9abb4893f9349Automatic UpdaterWIDTH="33%"
ae7e54b14c946e0984c191554db9abb4893f9349Automatic UpdaterALIGN="left"
ae7e54b14c946e0984c191554db9abb4893f9349Automatic UpdaterVALIGN="top"
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User><SPAN
ae7e54b14c946e0984c191554db9abb4893f9349Automatic UpdaterCLASS="acronym"
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater>BIND</SPAN
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater> 9 Configuration Reference</TD
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater><TD
ae7e54b14c946e0984c191554db9abb4893f9349Automatic UpdaterWIDTH="34%"
ae7e54b14c946e0984c191554db9abb4893f9349Automatic UpdaterALIGN="center"
ae7e54b14c946e0984c191554db9abb4893f9349Automatic UpdaterVALIGN="top"
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater>&nbsp;</TD
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews><TD
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox UserWIDTH="33%"
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox UserALIGN="right"
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox UserVALIGN="top"
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User>Troubleshooting</TD
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User></TR
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User></TABLE
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User></DIV
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User></BODY
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User></HTML
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User>