doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision ffe29868b4bbc64953fc5d0de51f988c20158967
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
dcfda24abf565c442d058cbf81b2180d847a1b3eAutomatic Updater<!--
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - License, v. 2.0. If a copy of the MPL was not distributed with this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - file, You can obtain one at http://mozilla.org/MPL/2.0/.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>Chapter�7.�BIND 9 Security Considerations</title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">�</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="chapter">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h1 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h1></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="toc">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><b>Table of Contents</b></p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dl class="toc">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch07.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews</dl></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Access Control Lists (ACLs) are address match lists that
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater          you can set up and nickname for future use in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="command"><strong>allow-notify</strong></span>, <span class="command"><strong>allow-query</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="command"><strong>allow-query-on</strong></span>, <span class="command"><strong>allow-recursion</strong></span>,
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater          <span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="command"><strong>match-clients</strong></span>, etc.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater        <p>
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater          Using ACLs allows you to have finer control over who can access
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          your name server, without cluttering up your config files with huge
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater          lists of IP addresses.
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater        </p>
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater        <p>
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          control access to your server. Limiting access to your server by
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater          outside parties can help prevent spoofing and denial of service
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater          (DoS) attacks against your server.
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater        </p>
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ACLs match clients on the basis of up to three characteristics:
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater          1) The client's IP address; 2) the TSIG or SIG(0) key that was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          used to sign the request, if any; and 3) an address prefix
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          encoded in an EDNS Client Subnet option, if any.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Here is an example of ACLs based on client addresses:
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater        </p>
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater<pre class="programlisting">
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater// Set up an ACL named "bogusnets" that will block
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater// RFC1918 space and some reserved space, which is
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater// commonly used in spoofing attacks.
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updateracl bogusnets {
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater        0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// Set up an ACL called our-nets. Replace this with the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// real IP numbers.
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updateracl our-nets { x.x.x.x/24; x.x.x.x/21; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinoptions {
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater  ...
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  ...
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  allow-query { our-nets; };
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater  allow-recursion { our-nets; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  ...
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater  blackhole { bogusnets; };
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater  ...
23967fcd6e214ac5194222a6b7f41fe869db4f9cAutomatic Updater};
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinzone "example.com" {
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater  type master;
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater  file "m/example.com";
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  allow-query { any; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This allows authoritative queries for "example.com" from any
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews          address, but recursive queries only from the networks specified
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews          in "our-nets", and no queries at all from the networks
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          specified in "bogusnets".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          In addition to network addresses and prefixes, which are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          matched against the source address of the DNS request, ACLs
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews          may include <code class="option">key</code> elements, which specify the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          elements, which specify a network prefix but are only matched
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          if that prefix matches an EDNS client subnet option included
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          in the request.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The EDNS Client Subnet (ECS) option is used by a recursive
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          resolver to inform an authoritative name server of the network
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews          address block from which the original query was received, enabling
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          authoritative servers to give different answers to the same
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          resolver for different resolver clients.  An ACL containing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          an element of the form
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="command"><strong>ecs <em class="replaceable"><code>prefix</code></em></strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          will match if a request arrives in containing an ECS option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          encoding an address within that prefix.  If the request has no
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ECS option, then "ecs" elements are simply ignored.  Addresses
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          in ACLs that are not prefixed with "ecs" are matched only
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          against the source address.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h3 class="title">Note</h3>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            (Note: The authoritative ECS implementation in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <span class="command"><strong>named</strong></span> is based on an early version of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            specification, and is known to have incompatibilities with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            other implementations.  It is also inefficient, requiring
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            a separate view for each client subnet to be sent different
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            answers, and it is unable to correct for overlapping subnets in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the configuration.  It can be used for testing purposes, but is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            not recommended for production use.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ACLs can also be used for geographic access restrictions.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This is done by specifying an ACL element of the form:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="command"><strong>geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The <em class="replaceable"><code>field</code></em> indicates which field
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          to search for a match.  Available fields are "country",
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          "region", "city", "continent", "postal" (postal code),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          "metro" (metro code), "area" (area code), "tz" (timezone),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          "isp", "org", "asnum", "domain" and "netspeed".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <em class="replaceable"><code>value</code></em> is the value to search
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          for within the database.  A string may be quoted if it
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          contains spaces or other special characters.  If this is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          an "asnum" search, then the leading "ASNNNN" string can be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          used, otherwise the full description must be used (e.g.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          "ASNNNN Example Company Name").  If this is a "country"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          search and the string is two characters long, then it must
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          be a standard ISO-3166-1 two-letter country code, and if it
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          is three characters long then it must be an ISO-3166-1
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews          three-letter country code; otherwise it is the full name
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          of the country.  Similarly, if this is a "region" search
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          and the string is two characters long, then it must be a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          standard two-letter state or province abbreviation;
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          otherwise it is the full name of the state or province.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        <p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          The <em class="replaceable"><code>database</code></em> field indicates which
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          GeoIP database to search for a match.  In most cases this is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          unnecessary, because most search fields can only be found in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          a single database.  However, searches for country can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          answered from the "city", "region", or "country" databases,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          and searches for region (i.e., state or province) can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          answered from the "city" or "region" databases.  For these
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          search types, specifying a <em class="replaceable"><code>database</code></em>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          will force the query to be answered from that database and no
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          other.  If <em class="replaceable"><code>database</code></em> is not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          specified, then these queries will be answered from the "city",
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          database if it is installed, or the "region" database if it is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          installed, or the "country" database, in that order.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater        <p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater          By default, if a DNS query includes an EDNS Client Subnet (ECS)
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater          option which encodes a non-zero address prefix, then GeoIP ACLs
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater          will be matched against that address prefix.  Otherwise, they
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater          are matched against the source address of the query.  To
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater          prevent GeoIP ACLs from matching against ECS options, set
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater          the <span class="command"><strong>geoip-use-ecs</strong></span> to <code class="literal">no</code>.
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater        </p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater        <p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater          Some example GeoIP ACLs:
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater        </p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater        <pre class="programlisting">geoip country US;
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updatergeoip country JAP;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip db country country Canada;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip db region region WA;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip city "San Francisco";
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip region Oklahoma;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip postal 95062;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip tz "America/Los_Angeles";
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingeoip org "Internet Systems Consortium";
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ACLs use a "first-match" logic rather than "best-match":
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          if an address prefix matches an ACL element, then that ACL
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          is considered to have matched even if a later element would
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          have matched more specifically.  For example, the ACL
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="command"><strong> { 10/8; !10.0.0.1; }</strong></span> would actually
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          match a query from 10.0.0.1, because the first element
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          indicated that the query should be accepted, and the second
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          element is ignored.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          When using "nested" ACLs (that is, ACLs included or referenced
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          within other ACLs), a negative match of a nested ACL will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the containing ACL to continue looking for matches.  This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          enables complex ACLs to be constructed, in which multiple
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          client characteristics can be checked at the same time. For
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          example, to construct an ACL which allows queries only when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          it originates from a particular network <span class="emphasis"><em>and</em></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          only when it is signed with a particular key, use:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <pre class="programlisting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinallow-query { !{ !10/8; any; }; key example; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Within the nested ACL, any address that is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          be rejected, and this will terminate processing of the
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          ACL.  Any address that <span class="emphasis"><em>is</em></span> in the 10/8
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          network prefix will be accepted, but this causes a negative
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          match of the nested ACL, so the containing ACL continues
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          processing. The query will then be accepted if it is signed
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          by the key "example", and rejected otherwise.  The ACL, then,
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          will only matches when <span class="emphasis"><em>both</em></span> conditions
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          are true.
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </div>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      <div class="section">
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="chroot_and_setuid"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews</h2></div></div></div>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          in a <span class="emphasis"><em>chrooted</em></span> environment (using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the <span class="command"><strong>chroot()</strong></span> function) by specifying
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the <code class="option">-t</code> option for <span class="command"><strong>named</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This can help improve system security by placing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the damage done if a server is compromised.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          user 202:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews<a name="chroot"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            In order for a <span class="command"><strong>chroot</strong></span> environment
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews            to work properly in a particular directory (for example,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/var/named</code>), you will need to set
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            up an environment that includes everything
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <acronym class="acronym">BIND</acronym> needs to run.  From
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <acronym class="acronym">BIND</acronym>'s point of view,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/var/named</code> is the root of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            filesystem.  You will need to adjust the values of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            options like <span class="command"><strong>directory</strong></span> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <span class="command"><strong>pid-file</strong></span> to account for this.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Unlike with earlier versions of BIND, you typically will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            statically nor install shared libraries under the new root.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            However, depending on your operating system, you may need
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to set up things like
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/dev/zero</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/dev/random</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/dev/log</code>, and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/etc/localtime</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <div class="section">
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<div class="titlepage"><div><div><h3 class="title">
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<a name="setuid"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          <p>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews            Prior to running the <span class="command"><strong>named</strong></span> daemon,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            use
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the <span class="command"><strong>touch</strong></span> utility (to change file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            access and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            modification times) or the <span class="command"><strong>chown</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            utility (to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            set the user id and/or group id) on files
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to which you want <acronym class="acronym">BIND</acronym>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to write.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h3 class="title">Note</h3>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            If the <span class="command"><strong>named</strong></span> daemon is running as an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            unprivileged user, it will not be able to bind to new restricted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            ports if the server is reloaded.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Access to the dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          update facility should be strictly limited.  In earlier versions of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <acronym class="acronym">BIND</acronym>, the only way to do this was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          based on the IP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          address of the host requesting the update, by listing an IP address
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          network prefix in the <span class="command"><strong>allow-update</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          zone option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This method is insecure since the source address of the update UDP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          packet
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          is easily forged.  Also note that if the IP addresses allowed by the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="command"><strong>allow-update</strong></span> option include the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          address of a slave
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews          server which performs forwarding of dynamic updates, the master can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          trivially attacked by sending the update to the slave, which will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          forward it to the master with its own source IP address causing the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          master to approve it without question.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          For these reasons, we strongly recommend that updates be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          cryptographically authenticated by means of transaction signatures
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          (TSIG).  That is, the <span class="command"><strong>allow-update</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          option should
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          list only TSIG key names, not IP addresses or network
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          prefixes. Alternatively, the new <span class="command"><strong>update-policy</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          option can be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Some sites choose to keep all dynamically-updated DNS data
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          in a subdomain and delegate that subdomain to a separate zone. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          way, the top-level zone containing critical data such as the IP
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater          addresses
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater          of public web and mail servers need not allow dynamic update at
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater          all.
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater        </p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      </div>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater    </div>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<div class="navfooter">
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<hr>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<table width="100%" summary="Navigation footer">
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<tr>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<td width="40%" align="left">
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<td width="20%" align="center">�</td>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater</td>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater</tr>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<tr>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater</tr>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater</table>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater</div>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0</p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater</body>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater</html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein