PageRenderTime 125ms CodeModel.GetById 52ms app.highlight 34ms RepoModel.GetById 1ms app.codeStats 5ms

/contrib/bind9/doc/arm/Bv9ARM-book.xml

https://bitbucket.org/freebsd/freebsd-head/
XML | 12029 lines | 11175 code | 821 blank | 33 comment | 0 complexity | 229a224015246795a39e20aab94ec4c8 MD5 | raw file

Large files files are truncated, but you can click here to view the full file

   1<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
   2              "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
   3	       [<!ENTITY mdash "&#8212;">]>
   4<!--
   5 - Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
   6 - Copyright (C) 2000-2003  Internet Software Consortium.
   7 -
   8 - Permission to use, copy, modify, and/or distribute this software for any
   9 - purpose with or without fee is hereby granted, provided that the above
  10 - copyright notice and this permission notice appear in all copies.
  11 -
  12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  14 - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  18 - PERFORMANCE OF THIS SOFTWARE.
  19-->
  20
  21<!-- File: $Id$ -->
  22<book xmlns:xi="http://www.w3.org/2001/XInclude">
  23  <title>BIND 9 Administrator Reference Manual</title>
  24
  25  <bookinfo>
  26    <copyright>
  27      <year>2004</year>
  28      <year>2005</year>
  29      <year>2006</year>
  30      <year>2007</year>
  31      <year>2008</year>
  32      <year>2009</year>
  33      <year>2010</year>
  34      <year>2011</year>
  35      <year>2012</year>
  36      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
  37    </copyright>
  38    <copyright>
  39      <year>2000</year>
  40      <year>2001</year>
  41      <year>2002</year>
  42      <year>2003</year>
  43      <holder>Internet Software Consortium.</holder>
  44    </copyright>
  45  </bookinfo>
  46
  47  <chapter id="Bv9ARM.ch01">
  48    <title>Introduction</title>
  49    <para>
  50      The Internet Domain Name System (<acronym>DNS</acronym>)
  51      consists of the syntax
  52      to specify the names of entities in the Internet in a hierarchical
  53      manner, the rules used for delegating authority over names, and the
  54      system implementation that actually maps names to Internet
  55      addresses.  <acronym>DNS</acronym> data is maintained in a
  56      group of distributed
  57      hierarchical databases.
  58    </para>
  59
  60    <sect1>
  61      <title>Scope of Document</title>
  62
  63      <para>
  64        The Berkeley Internet Name Domain
  65        (<acronym>BIND</acronym>) implements a
  66        domain name server for a number of operating systems. This
  67        document provides basic information about the installation and
  68        care of the Internet Systems Consortium (<acronym>ISC</acronym>)
  69        <acronym>BIND</acronym> version 9 software package for
  70        system administrators.
  71      </para>
  72
  73      <para>
  74        This version of the manual corresponds to BIND version 9.8.
  75      </para>
  76
  77    </sect1>
  78    <sect1>
  79      <title>Organization of This Document</title>
  80      <para>
  81        In this document, <emphasis>Chapter 1</emphasis> introduces
  82        the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Chapter 2</emphasis>
  83        describes resource requirements for running <acronym>BIND</acronym> in various
  84        environments. Information in <emphasis>Chapter 3</emphasis> is
  85        <emphasis>task-oriented</emphasis> in its presentation and is
  86        organized functionally, to aid in the process of installing the
  87        <acronym>BIND</acronym> 9 software. The task-oriented
  88        section is followed by
  89        <emphasis>Chapter 4</emphasis>, which contains more advanced
  90        concepts that the system administrator may need for implementing
  91        certain options. <emphasis>Chapter 5</emphasis>
  92        describes the <acronym>BIND</acronym> 9 lightweight
  93        resolver.  The contents of <emphasis>Chapter 6</emphasis> are
  94        organized as in a reference manual to aid in the ongoing
  95        maintenance of the software. <emphasis>Chapter 7</emphasis> addresses
  96        security considerations, and
  97        <emphasis>Chapter 8</emphasis> contains troubleshooting help. The
  98        main body of the document is followed by several
  99        <emphasis>appendices</emphasis> which contain useful reference
 100        information, such as a <emphasis>bibliography</emphasis> and
 101        historic information related to <acronym>BIND</acronym>
 102        and the Domain Name
 103        System.
 104      </para>
 105    </sect1>
 106    <sect1>
 107      <title>Conventions Used in This Document</title>
 108
 109      <para>
 110        In this document, we use the following general typographic
 111        conventions:
 112      </para>
 113
 114      <informaltable>
 115        <tgroup cols="2">
 116          <colspec colname="1" colnum="1" colwidth="3.000in"/>
 117          <colspec colname="2" colnum="2" colwidth="2.625in"/>
 118          <tbody>
 119            <row>
 120              <entry colname="1">
 121                <para>
 122                  <emphasis>To describe:</emphasis>
 123                </para>
 124              </entry>
 125              <entry colname="2">
 126                <para>
 127                  <emphasis>We use the style:</emphasis>
 128                </para>
 129              </entry>
 130            </row>
 131            <row>
 132              <entry colname="1">
 133                <para>
 134                  a pathname, filename, URL, hostname,
 135                  mailing list name, or new term or concept
 136                </para>
 137              </entry>
 138              <entry colname="2">
 139                <para>
 140                  <filename>Fixed width</filename>
 141                </para>
 142              </entry>
 143            </row>
 144            <row>
 145              <entry colname="1">
 146                <para>
 147                  literal user
 148                  input
 149                </para>
 150              </entry>
 151              <entry colname="2">
 152                <para>
 153                  <userinput>Fixed Width Bold</userinput>
 154                </para>
 155              </entry>
 156            </row>
 157            <row>
 158              <entry colname="1">
 159                <para>
 160                  program output
 161                </para>
 162              </entry>
 163              <entry colname="2">
 164                <para>
 165                  <computeroutput>Fixed Width</computeroutput>
 166                </para>
 167              </entry>
 168            </row>
 169          </tbody>
 170        </tgroup>
 171      </informaltable>
 172
 173      <para>
 174        The following conventions are used in descriptions of the
 175        <acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
 176                  <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
 177                      <colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
 178            <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
 179            <tbody>
 180              <row rowsep="0">
 181                <entry colname="1" colsep="1" rowsep="1">
 182                  <para>
 183                    <emphasis>To describe:</emphasis>
 184                  </para>
 185                </entry>
 186                <entry colname="2" rowsep="1">
 187                  <para>
 188                    <emphasis>We use the style:</emphasis>
 189                  </para>
 190                </entry>
 191              </row>
 192              <row rowsep="0">
 193                <entry colname="1" colsep="1" rowsep="1">
 194                  <para>
 195                    keywords
 196                  </para>
 197                </entry>
 198                <entry colname="2" rowsep="1">
 199                  <para>
 200                    <literal>Fixed Width</literal>
 201                  </para>
 202                </entry>
 203              </row>
 204              <row rowsep="0">
 205                <entry colname="1" colsep="1" rowsep="1">
 206                  <para>
 207                    variables
 208                  </para>
 209                </entry>
 210                <entry colname="2" rowsep="1">
 211                  <para>
 212                    <varname>Fixed Width</varname>
 213                  </para>
 214                </entry>
 215              </row>
 216              <row rowsep="0">
 217                <entry colname="1" colsep="1">
 218                  <para>
 219                    Optional input
 220                  </para>
 221                </entry>
 222                <entry colname="2">
 223                  <para>
 224                    <optional>Text is enclosed in square brackets</optional>
 225                  </para>
 226                </entry>
 227              </row>
 228            </tbody>
 229          </tgroup>
 230        </informaltable>
 231      </para>
 232    </sect1>
 233    <sect1>
 234      <title>The Domain Name System (<acronym>DNS</acronym>)</title>
 235      <para>
 236        The purpose of this document is to explain the installation
 237        and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
 238	Name Domain) software package, and we
 239        begin by reviewing the fundamentals of the Domain Name System
 240        (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
 241      </para>
 242
 243      <sect2>
 244        <title>DNS Fundamentals</title>
 245
 246        <para>
 247          The Domain Name System (DNS) is a hierarchical, distributed
 248          database.  It stores information for mapping Internet host names to
 249          IP
 250          addresses and vice versa, mail routing information, and other data
 251          used by Internet applications.
 252        </para>
 253
 254        <para>
 255          Clients look up information in the DNS by calling a
 256          <emphasis>resolver</emphasis> library, which sends queries to one or
 257          more <emphasis>name servers</emphasis> and interprets the responses.
 258          The <acronym>BIND</acronym> 9 software distribution
 259          contains a
 260          name server, <command>named</command>, and a resolver
 261          library, <command>liblwres</command>.  The older
 262          <command>libbind</command> resolver library is also available
 263          from ISC as a separate download.
 264        </para>
 265
 266        </sect2><sect2>
 267        <title>Domains and Domain Names</title>
 268
 269        <para>
 270          The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
 271          organizational or administrative boundaries. Each node of the tree,
 272          called a <emphasis>domain</emphasis>, is given a label. The domain
 273          name of the
 274          node is the concatenation of all the labels on the path from the
 275          node to the <emphasis>root</emphasis> node.  This is represented
 276          in written form as a string of labels listed from right to left and
 277          separated by dots. A label need only be unique within its parent
 278          domain.
 279        </para>
 280
 281        <para>
 282          For example, a domain name for a host at the
 283          company <emphasis>Example, Inc.</emphasis> could be
 284          <literal>ourhost.example.com</literal>,
 285          where <literal>com</literal> is the
 286          top level domain to which
 287          <literal>ourhost.example.com</literal> belongs,
 288          <literal>example</literal> is
 289          a subdomain of <literal>com</literal>, and
 290          <literal>ourhost</literal> is the
 291          name of the host.
 292        </para>
 293
 294        <para>
 295          For administrative purposes, the name space is partitioned into
 296          areas called <emphasis>zones</emphasis>, each starting at a node and
 297          extending down to the leaf nodes or to nodes where other zones
 298          start.
 299          The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
 300          <emphasis>DNS protocol</emphasis>.
 301        </para>
 302
 303        <para>
 304          The data associated with each domain name is stored in the
 305          form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
 306          Some of the supported resource record types are described in
 307          <xref linkend="types_of_resource_records_and_when_to_use_them"/>.
 308        </para>
 309
 310        <para>
 311          For more detailed information about the design of the DNS and
 312          the DNS protocol, please refer to the standards documents listed in
 313          <xref linkend="rfcs"/>.
 314        </para>
 315      </sect2>
 316
 317      <sect2>
 318        <title>Zones</title>
 319        <para>
 320          To properly operate a name server, it is important to understand
 321          the difference between a <emphasis>zone</emphasis>
 322          and a <emphasis>domain</emphasis>.
 323        </para>
 324
 325        <para>
 326          As stated previously, a zone is a point of delegation in
 327          the <acronym>DNS</acronym> tree. A zone consists of
 328          those contiguous parts of the domain
 329          tree for which a name server has complete information and over which
 330          it has authority. It contains all domain names from a certain point
 331          downward in the domain tree except those which are delegated to
 332          other zones. A delegation point is marked by one or more
 333          <emphasis>NS records</emphasis> in the
 334          parent zone, which should be matched by equivalent NS records at
 335          the root of the delegated zone.
 336        </para>
 337
 338        <para>
 339          For instance, consider the <literal>example.com</literal>
 340          domain which includes names
 341          such as <literal>host.aaa.example.com</literal> and
 342          <literal>host.bbb.example.com</literal> even though
 343          the <literal>example.com</literal> zone includes
 344          only delegations for the <literal>aaa.example.com</literal> and
 345          <literal>bbb.example.com</literal> zones.  A zone can
 346          map
 347          exactly to a single domain, but could also include only part of a
 348          domain, the rest of which could be delegated to other
 349          name servers. Every name in the <acronym>DNS</acronym>
 350          tree is a
 351          <emphasis>domain</emphasis>, even if it is
 352          <emphasis>terminal</emphasis>, that is, has no
 353          <emphasis>subdomains</emphasis>.  Every subdomain is a domain and
 354          every domain except the root is also a subdomain. The terminology is
 355          not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
 356          to
 357          gain a complete understanding of this difficult and subtle
 358          topic.
 359        </para>
 360
 361        <para>
 362          Though <acronym>BIND</acronym> is called a "domain name
 363          server",
 364          it deals primarily in terms of zones. The master and slave
 365          declarations in the <filename>named.conf</filename> file
 366          specify
 367          zones, not domains. When you ask some other site if it is willing to
 368          be a slave server for your <emphasis>domain</emphasis>, you are
 369          actually asking for slave service for some collection of zones.
 370        </para>
 371      </sect2>
 372
 373      <sect2>
 374        <title>Authoritative Name Servers</title>
 375
 376        <para>
 377          Each zone is served by at least
 378          one <emphasis>authoritative name server</emphasis>,
 379          which contains the complete data for the zone.
 380          To make the DNS tolerant of server and network failures,
 381          most zones have two or more authoritative servers, on
 382          different networks.
 383        </para>
 384
 385        <para>
 386          Responses from authoritative servers have the "authoritative
 387          answer" (AA) bit set in the response packets.  This makes them
 388          easy to identify when debugging DNS configurations using tools like
 389          <command>dig</command> (<xref linkend="diagnostic_tools"/>).
 390        </para>
 391
 392        <sect3>
 393          <title>The Primary Master</title>
 394
 395          <para>
 396            The authoritative server where the master copy of the zone
 397            data is maintained is called the
 398	    <emphasis>primary master</emphasis> server, or simply the
 399            <emphasis>primary</emphasis>.  Typically it loads the zone
 400            contents from some local file edited by humans or perhaps
 401            generated mechanically from some other local file which is
 402            edited by humans.  This file is called the
 403	    <emphasis>zone file</emphasis> or
 404	    <emphasis>master file</emphasis>.
 405          </para>
 406
 407	  <para>
 408	    In some cases, however, the master file may not be edited
 409	    by humans at all, but may instead be the result of
 410	    <emphasis>dynamic update</emphasis> operations.
 411	  </para>
 412        </sect3>
 413
 414        <sect3>
 415          <title>Slave Servers</title>
 416          <para>
 417            The other authoritative servers, the <emphasis>slave</emphasis>
 418            servers (also known as <emphasis>secondary</emphasis> servers)
 419            load
 420            the zone contents from another server using a replication process
 421            known as a <emphasis>zone transfer</emphasis>.  Typically the data
 422            are
 423            transferred directly from the primary master, but it is also
 424            possible
 425            to transfer it from another slave.  In other words, a slave server
 426            may itself act as a master to a subordinate slave server.
 427          </para>
 428        </sect3>
 429
 430        <sect3>
 431          <title>Stealth Servers</title>
 432
 433          <para>
 434            Usually all of the zone's authoritative servers are listed in
 435            NS records in the parent zone.  These NS records constitute
 436            a <emphasis>delegation</emphasis> of the zone from the parent.
 437            The authoritative servers are also listed in the zone file itself,
 438            at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
 439            of the zone.  You can list servers in the zone's top-level NS
 440            records that are not in the parent's NS delegation, but you cannot
 441            list servers in the parent's delegation that are not present at
 442            the zone's top level.
 443          </para>
 444
 445          <para>
 446            A <emphasis>stealth server</emphasis> is a server that is
 447            authoritative for a zone but is not listed in that zone's NS
 448            records.  Stealth servers can be used for keeping a local copy of
 449            a
 450            zone to speed up access to the zone's records or to make sure that
 451            the
 452            zone is available even if all the "official" servers for the zone
 453            are
 454            inaccessible.
 455          </para>
 456
 457          <para>
 458            A configuration where the primary master server itself is a
 459            stealth server is often referred to as a "hidden primary"
 460            configuration.  One use for this configuration is when the primary
 461            master
 462            is behind a firewall and therefore unable to communicate directly
 463            with the outside world.
 464          </para>
 465
 466        </sect3>
 467
 468      </sect2>
 469      <sect2>
 470
 471        <title>Caching Name Servers</title>
 472
 473	<!--
 474	  - Terminology here is inconsistent.  Probably ought to
 475	  - convert to using "recursive name server" everywhere
 476	  - with just a note about "caching" terminology.
 477	  -->
 478
 479        <para>
 480          The resolver libraries provided by most operating systems are
 481          <emphasis>stub resolvers</emphasis>, meaning that they are not
 482          capable of
 483          performing the full DNS resolution process by themselves by talking
 484          directly to the authoritative servers.  Instead, they rely on a
 485          local
 486          name server to perform the resolution on their behalf.  Such a
 487          server
 488          is called a <emphasis>recursive</emphasis> name server; it performs
 489          <emphasis>recursive lookups</emphasis> for local clients.
 490        </para>
 491
 492        <para>
 493          To improve performance, recursive servers cache the results of
 494          the lookups they perform.  Since the processes of recursion and
 495          caching are intimately connected, the terms
 496          <emphasis>recursive server</emphasis> and
 497          <emphasis>caching server</emphasis> are often used synonymously.
 498        </para>
 499
 500        <para>
 501          The length of time for which a record may be retained in
 502          the cache of a caching name server is controlled by the
 503          Time To Live (TTL) field associated with each resource record.
 504        </para>
 505
 506        <sect3>
 507          <title>Forwarding</title>
 508
 509          <para>
 510            Even a caching name server does not necessarily perform
 511            the complete recursive lookup itself.  Instead, it can
 512            <emphasis>forward</emphasis> some or all of the queries
 513            that it cannot satisfy from its cache to another caching name
 514            server,
 515            commonly referred to as a <emphasis>forwarder</emphasis>.
 516          </para>
 517
 518          <para>
 519            There may be one or more forwarders,
 520            and they are queried in turn until the list is exhausted or an
 521            answer
 522            is found. Forwarders are typically used when you do not
 523            wish all the servers at a given site to interact directly with the
 524            rest of
 525            the Internet servers. A typical scenario would involve a number
 526            of internal <acronym>DNS</acronym> servers and an
 527            Internet firewall. Servers unable
 528            to pass packets through the firewall would forward to the server
 529            that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
 530            on the internal server's behalf.
 531          </para>
 532        </sect3>
 533
 534      </sect2>
 535
 536      <sect2>
 537        <title>Name Servers in Multiple Roles</title>
 538
 539        <para>
 540          The <acronym>BIND</acronym> name server can
 541          simultaneously act as
 542          a master for some zones, a slave for other zones, and as a caching
 543          (recursive) server for a set of local clients.
 544        </para>
 545
 546        <para>
 547          However, since the functions of authoritative name service
 548          and caching/recursive name service are logically separate, it is
 549          often advantageous to run them on separate server machines.
 550
 551          A server that only provides authoritative name service
 552          (an <emphasis>authoritative-only</emphasis> server) can run with
 553          recursion disabled, improving reliability and security.
 554
 555          A server that is not authoritative for any zones and only provides
 556          recursive service to local
 557          clients (a <emphasis>caching-only</emphasis> server)
 558          does not need to be reachable from the Internet at large and can
 559          be placed inside a firewall.
 560        </para>
 561
 562      </sect2>
 563    </sect1>
 564
 565  </chapter>
 566
 567  <chapter id="Bv9ARM.ch02">
 568    <title><acronym>BIND</acronym> Resource Requirements</title>
 569
 570    <sect1>
 571      <title>Hardware requirements</title>
 572
 573      <para>
 574        <acronym>DNS</acronym> hardware requirements have
 575        traditionally been quite modest.
 576        For many installations, servers that have been pensioned off from
 577        active duty have performed admirably as <acronym>DNS</acronym> servers.
 578      </para>
 579      <para>
 580        The DNSSEC features of <acronym>BIND</acronym> 9
 581        may prove to be quite
 582        CPU intensive however, so organizations that make heavy use of these
 583        features may wish to consider larger systems for these applications.
 584        <acronym>BIND</acronym> 9 is fully multithreaded, allowing
 585        full utilization of
 586        multiprocessor systems for installations that need it.
 587      </para>
 588    </sect1>
 589    <sect1>
 590      <title>CPU Requirements</title>
 591      <para>
 592        CPU requirements for <acronym>BIND</acronym> 9 range from
 593        i486-class machines
 594        for serving of static zones without caching, to enterprise-class
 595        machines if you intend to process many dynamic updates and DNSSEC
 596        signed zones, serving many thousands of queries per second.
 597      </para>
 598    </sect1>
 599
 600    <sect1>
 601      <title>Memory Requirements</title>
 602      <para>
 603        The memory of the server has to be large enough to fit the
 604        cache and zones loaded off disk.  The <command>max-cache-size</command>
 605        option can be used to limit the amount of memory used by the cache,
 606        at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
 607        traffic.
 608        Additionally, if additional section caching
 609        (<xref linkend="acache"/>) is enabled,
 610        the <command>max-acache-size</command> option can be used to
 611        limit the amount
 612        of memory used by the mechanism.
 613        It is still good practice to have enough memory to load
 614        all zone and cache data into memory &mdash; unfortunately, the best
 615        way
 616        to determine this for a given installation is to watch the name server
 617        in operation. After a few weeks the server process should reach
 618        a relatively stable size where entries are expiring from the cache as
 619        fast as they are being inserted.
 620      </para>
 621      <!--
 622        - Add something here about leaving overhead for attacks?
 623	- How much overhead?  Percentage?
 624        -->
 625    </sect1>
 626
 627    <sect1>
 628      <title>Name Server Intensive Environment Issues</title>
 629      <para>
 630        For name server intensive environments, there are two alternative
 631        configurations that may be used. The first is where clients and
 632        any second-level internal name servers query a main name server, which
 633        has enough memory to build a large cache. This approach minimizes
 634        the bandwidth used by external name lookups. The second alternative
 635        is to set up second-level internal name servers to make queries
 636        independently.
 637        In this configuration, none of the individual machines needs to
 638        have as much memory or CPU power as in the first alternative, but
 639        this has the disadvantage of making many more external queries,
 640        as none of the name servers share their cached data.
 641      </para>
 642    </sect1>
 643
 644    <sect1>
 645      <title>Supported Operating Systems</title>
 646      <para>
 647        ISC <acronym>BIND</acronym> 9 compiles and runs on a large
 648        number
 649        of Unix-like operating systems and on 
 650        Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
 651        For an up-to-date
 652        list of supported systems, see the README file in the top level
 653        directory
 654        of the BIND 9 source distribution.
 655      </para>
 656    </sect1>
 657  </chapter>
 658
 659  <chapter id="Bv9ARM.ch03">
 660    <title>Name Server Configuration</title>
 661    <para>
 662      In this chapter we provide some suggested configurations along
 663      with guidelines for their use.  We suggest reasonable values for
 664      certain option settings.
 665    </para>
 666
 667    <sect1 id="sample_configuration">
 668      <title>Sample Configurations</title>
 669      <sect2>
 670        <title>A Caching-only Name Server</title>
 671        <para>
 672          The following sample configuration is appropriate for a caching-only
 673          name server for use by clients internal to a corporation.  All
 674          queries
 675          from outside clients are refused using the <command>allow-query</command>
 676          option.  Alternatively, the same effect could be achieved using
 677          suitable
 678          firewall rules.
 679        </para>
 680
 681<programlisting>
 682// Two corporate subnets we wish to allow queries from.
 683acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
 684options {
 685     // Working directory
 686     directory "/etc/namedb";
 687
 688     allow-query { corpnets; };
 689};
 690// Provide a reverse mapping for the loopback
 691// address 127.0.0.1
 692zone "0.0.127.in-addr.arpa" {
 693     type master;
 694     file "localhost.rev";
 695     notify no;
 696};
 697</programlisting>
 698
 699      </sect2>
 700
 701      <sect2>
 702        <title>An Authoritative-only Name Server</title>
 703        <para>
 704          This sample configuration is for an authoritative-only server
 705          that is the master server for "<filename>example.com</filename>"
 706          and a slave for the subdomain "<filename>eng.example.com</filename>".
 707        </para>
 708
 709<programlisting>
 710options {
 711     // Working directory
 712     directory "/etc/namedb";
 713     // Do not allow access to cache
 714     allow-query-cache { none; };
 715     // This is the default
 716     allow-query { any; };
 717     // Do not provide recursive service
 718     recursion no;
 719};
 720
 721// Provide a reverse mapping for the loopback
 722// address 127.0.0.1
 723zone "0.0.127.in-addr.arpa" {
 724     type master;
 725     file "localhost.rev";
 726     notify no;
 727};
 728// We are the master server for example.com
 729zone "example.com" {
 730     type master;
 731     file "example.com.db";
 732     // IP addresses of slave servers allowed to
 733     // transfer example.com
 734     allow-transfer {
 735          192.168.4.14;
 736          192.168.5.53;
 737     };
 738};
 739// We are a slave server for eng.example.com
 740zone "eng.example.com" {
 741     type slave;
 742     file "eng.example.com.bk";
 743     // IP address of eng.example.com master server
 744     masters { 192.168.4.12; };
 745};
 746</programlisting>
 747
 748      </sect2>
 749    </sect1>
 750
 751    <sect1>
 752      <title>Load Balancing</title>
 753      <!--
 754        - Add explanation of why load balancing is fragile at best
 755	- and completely pointless in the general case.
 756        -->
 757
 758      <para>
 759        A primitive form of load balancing can be achieved in
 760        the <acronym>DNS</acronym> by using multiple records
 761	(such as multiple A records) for one name.
 762      </para>
 763
 764      <para>
 765        For example, if you have three WWW servers with network addresses
 766        of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
 767        following means that clients will connect to each machine one third
 768        of the time:
 769      </para>
 770
 771      <informaltable colsep="0" rowsep="0">
 772        <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
 773          <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
 774          <colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
 775          <colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
 776          <colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
 777          <colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
 778          <tbody>
 779            <row rowsep="0">
 780              <entry colname="1">
 781                <para>
 782                  Name
 783                </para>
 784              </entry>
 785              <entry colname="2">
 786                <para>
 787                  TTL
 788                </para>
 789              </entry>
 790              <entry colname="3">
 791                <para>
 792                  CLASS
 793                </para>
 794              </entry>
 795              <entry colname="4">
 796                <para>
 797                  TYPE
 798                </para>
 799              </entry>
 800              <entry colname="5">
 801                <para>
 802                  Resource Record (RR) Data
 803                </para>
 804              </entry>
 805            </row>
 806            <row rowsep="0">
 807              <entry colname="1">
 808                <para>
 809                  <literal>www</literal>
 810                </para>
 811              </entry>
 812              <entry colname="2">
 813                <para>
 814                  <literal>600</literal>
 815                </para>
 816              </entry>
 817              <entry colname="3">
 818                <para>
 819                  <literal>IN</literal>
 820                </para>
 821              </entry>
 822              <entry colname="4">
 823                <para>
 824                  <literal>A</literal>
 825                </para>
 826              </entry>
 827              <entry colname="5">
 828                <para>
 829                  <literal>10.0.0.1</literal>
 830                </para>
 831              </entry>
 832            </row>
 833            <row rowsep="0">
 834              <entry colname="1">
 835                <para/>
 836              </entry>
 837              <entry colname="2">
 838                <para>
 839                  <literal>600</literal>
 840                </para>
 841              </entry>
 842              <entry colname="3">
 843                <para>
 844                  <literal>IN</literal>
 845                </para>
 846              </entry>
 847              <entry colname="4">
 848                <para>
 849                  <literal>A</literal>
 850                </para>
 851              </entry>
 852              <entry colname="5">
 853                <para>
 854                  <literal>10.0.0.2</literal>
 855                </para>
 856              </entry>
 857            </row>
 858            <row rowsep="0">
 859              <entry colname="1">
 860                <para/>
 861              </entry>
 862              <entry colname="2">
 863                <para>
 864                  <literal>600</literal>
 865                </para>
 866              </entry>
 867              <entry colname="3">
 868                <para>
 869                  <literal>IN</literal>
 870                </para>
 871              </entry>
 872              <entry colname="4">
 873                <para>
 874                  <literal>A</literal>
 875                </para>
 876              </entry>
 877              <entry colname="5">
 878                <para>
 879                  <literal>10.0.0.3</literal>
 880                </para>
 881              </entry>
 882            </row>
 883          </tbody>
 884        </tgroup>
 885      </informaltable>
 886      <para>
 887        When a resolver queries for these records, <acronym>BIND</acronym> will rotate
 888        them and respond to the query with the records in a different
 889        order.  In the example above, clients will randomly receive
 890        records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
 891        will use the first record returned and discard the rest.
 892      </para>
 893      <para>
 894        For more detail on ordering responses, check the
 895        <command>rrset-order</command> sub-statement in the
 896        <command>options</command> statement, see
 897        <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
 898      </para>
 899
 900    </sect1>
 901
 902    <sect1>
 903      <title>Name Server Operations</title>
 904
 905      <sect2>
 906        <title>Tools for Use With the Name Server Daemon</title>
 907        <para>
 908          This section describes several indispensable diagnostic,
 909          administrative and monitoring tools available to the system
 910          administrator for controlling and debugging the name server
 911          daemon.
 912        </para>
 913        <sect3 id="diagnostic_tools">
 914          <title>Diagnostic Tools</title>
 915          <para>
 916            The <command>dig</command>, <command>host</command>, and
 917            <command>nslookup</command> programs are all command
 918            line tools
 919            for manually querying name servers.  They differ in style and
 920            output format.
 921          </para>
 922
 923          <variablelist>
 924            <varlistentry>
 925              <term id="dig"><command>dig</command></term>
 926              <listitem>
 927                <para>
 928                  The domain information groper (<command>dig</command>)
 929                  is the most versatile and complete of these lookup tools.
 930                  It has two modes: simple interactive
 931                  mode for a single query, and batch mode which executes a
 932                  query for
 933                  each in a list of several query lines. All query options are
 934                  accessible
 935                  from the command line.
 936                </para>
 937                <cmdsynopsis label="Usage">
 938                  <command>dig</command>
 939                  <arg>@<replaceable>server</replaceable></arg>
 940                  <arg choice="plain"><replaceable>domain</replaceable></arg>
 941                  <arg><replaceable>query-type</replaceable></arg>
 942                  <arg><replaceable>query-class</replaceable></arg>
 943                  <arg>+<replaceable>query-option</replaceable></arg>
 944                  <arg>-<replaceable>dig-option</replaceable></arg>
 945                  <arg>%<replaceable>comment</replaceable></arg>
 946                </cmdsynopsis>
 947                <para>
 948                  The usual simple use of <command>dig</command> will take the form
 949                </para>
 950                <simpara>
 951                  <command>dig @server domain query-type query-class</command>
 952                </simpara>
 953                <para>
 954                  For more information and a list of available commands and
 955                  options, see the <command>dig</command> man
 956                  page.
 957                </para>
 958              </listitem>
 959            </varlistentry>
 960
 961            <varlistentry>
 962              <term><command>host</command></term>
 963              <listitem>
 964                <para>
 965                  The <command>host</command> utility emphasizes
 966                  simplicity
 967                  and ease of use.  By default, it converts
 968                  between host names and Internet addresses, but its
 969                  functionality
 970                  can be extended with the use of options.
 971                </para>
 972                <cmdsynopsis label="Usage">
 973                  <command>host</command>
 974                  <arg>-aCdlnrsTwv</arg>
 975                  <arg>-c <replaceable>class</replaceable></arg>
 976                  <arg>-N <replaceable>ndots</replaceable></arg>
 977                  <arg>-t <replaceable>type</replaceable></arg>
 978                  <arg>-W <replaceable>timeout</replaceable></arg>
 979                  <arg>-R <replaceable>retries</replaceable></arg>
 980                  <arg>-m <replaceable>flag</replaceable></arg>
 981		  <arg>-4</arg>
 982		  <arg>-6</arg>
 983                  <arg choice="plain"><replaceable>hostname</replaceable></arg>
 984                  <arg><replaceable>server</replaceable></arg>
 985                </cmdsynopsis>
 986                <para>
 987                  For more information and a list of available commands and
 988                  options, see the <command>host</command> man
 989                  page.
 990                </para>
 991              </listitem>
 992            </varlistentry>
 993
 994            <varlistentry>
 995              <term><command>nslookup</command></term>
 996              <listitem>
 997                <para><command>nslookup</command>
 998		  has two modes: interactive and
 999                  non-interactive. Interactive mode allows the user to
1000                  query name servers for information about various
1001                  hosts and domains or to print a list of hosts in a
1002                  domain. Non-interactive mode is used to print just
1003                  the name and requested information for a host or
1004                  domain.
1005                </para>
1006                <cmdsynopsis label="Usage">
1007                  <command>nslookup</command>
1008                  <arg rep="repeat">-option</arg>
1009                  <group>
1010                    <arg><replaceable>host-to-find</replaceable></arg>
1011                    <arg>- <arg>server</arg></arg>
1012                  </group>
1013                </cmdsynopsis>
1014                <para>
1015                  Interactive mode is entered when no arguments are given (the
1016                  default name server will be used) or when the first argument
1017                  is a
1018                  hyphen (`-') and the second argument is the host name or
1019                  Internet address
1020                  of a name server.
1021                </para>
1022                <para>
1023                  Non-interactive mode is used when the name or Internet
1024                  address
1025                  of the host to be looked up is given as the first argument.
1026                  The
1027                  optional second argument specifies the host name or address
1028                  of a name server.
1029                </para>
1030                <para>
1031                  Due to its arcane user interface and frequently inconsistent
1032                  behavior, we do not recommend the use of <command>nslookup</command>.
1033                  Use <command>dig</command> instead.
1034                </para>
1035              </listitem>
1036
1037            </varlistentry>
1038          </variablelist>
1039        </sect3>
1040
1041        <sect3 id="admin_tools">
1042          <title>Administrative Tools</title>
1043          <para>
1044            Administrative tools play an integral part in the management
1045            of a server.
1046          </para>
1047          <variablelist>
1048            <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
1049
1050              <term><command>named-checkconf</command></term>
1051              <listitem>
1052                <para>
1053                  The <command>named-checkconf</command> program
1054                  checks the syntax of a <filename>named.conf</filename> file.
1055                </para>
1056                <cmdsynopsis label="Usage">
1057                  <command>named-checkconf</command>
1058                  <arg>-jvz</arg>
1059                  <arg>-t <replaceable>directory</replaceable></arg>
1060                  <arg><replaceable>filename</replaceable></arg>
1061                </cmdsynopsis>
1062              </listitem>
1063            </varlistentry>
1064            <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
1065
1066              <term><command>named-checkzone</command></term>
1067              <listitem>
1068                <para>
1069                  The <command>named-checkzone</command> program
1070                  checks a master file for
1071                  syntax and consistency.
1072                </para>
1073                <cmdsynopsis label="Usage">
1074                  <command>named-checkzone</command>
1075                  <arg>-djqvD</arg>
1076                  <arg>-c <replaceable>class</replaceable></arg>
1077                  <arg>-o <replaceable>output</replaceable></arg>
1078                  <arg>-t <replaceable>directory</replaceable></arg>
1079                  <arg>-w <replaceable>directory</replaceable></arg>
1080                  <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
1081                  <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
1082                  <arg>-W <replaceable>(ignore|warn)</replaceable></arg>
1083                  <arg choice="plain"><replaceable>zone</replaceable></arg>
1084                  <arg><replaceable>filename</replaceable></arg>
1085                </cmdsynopsis>
1086              </listitem>
1087            </varlistentry>
1088	    <varlistentry id="named-compilezone" xreflabel="Zone Compilation application">
1089	      <term><command>named-compilezone</command></term>
1090	      <listitem>
1091		<para>
1092		  Similar to <command>named-checkzone,</command> but
1093		  it always dumps the zone content to a specified file
1094		  (typically in a different format).
1095		</para>
1096	      </listitem>
1097	    </varlistentry>
1098            <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
1099
1100              <term><command>rndc</command></term>
1101              <listitem>
1102                <para>
1103                  The remote name daemon control
1104                  (<command>rndc</command>) program allows the
1105                  system
1106                  administrator to control the operation of a name server.
1107                  Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
1108                  supports all the commands of the BIND 8 <command>ndc</command>
1109                  utility except <command>ndc start</command> and
1110                  <command>ndc restart</command>, which were also
1111                  not supported in <command>ndc</command>'s
1112                  channel mode.
1113                  If you run <command>rndc</command> without any
1114                  options
1115                  it will display a usage message as follows:
1116                </para>
1117                <cmdsynopsis label="Usage">
1118                  <command>rndc</command>
1119                  <arg>-c <replaceable>config</replaceable></arg>
1120                  <arg>-s <replaceable>server</replaceable></arg>
1121                  <arg>-p <replaceable>port</replaceable></arg>
1122                  <arg>-y <replaceable>key</replaceable></arg>
1123                  <arg choice="plain"><replaceable>command</replaceable></arg>
1124                  <arg rep="repeat"><replaceable>command</replaceable></arg>
1125                </cmdsynopsis>
1126                <para>The <command>command</command>
1127		  is one of the following:
1128                </para>
1129
1130                <variablelist>
1131
1132                  <varlistentry>
1133                    <term><userinput>reload</userinput></term>
1134                    <listitem>
1135                      <para>
1136                        Reload configuration file and zones.
1137                      </para>
1138                    </listitem>
1139                  </varlistentry>
1140
1141                  <varlistentry>
1142                    <term><userinput>reload <replaceable>zone</replaceable>
1143                        <optional><replaceable>class</replaceable>
1144           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1145                    <listitem>
1146                      <para>
1147                        Reload the given zone.
1148                      </para>
1149                    </listitem>
1150                  </varlistentry>
1151
1152                  <varlistentry>
1153                    <term><userinput>refresh <replaceable>zone</replaceable>
1154                        <optional><replaceable>class</replaceable>
1155           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1156                    <listitem>
1157                      <para>
1158                        Schedule zone maintenance for the given zone.
1159                      </para>
1160                    </listitem>
1161                  </varlistentry>
1162
1163                  <varlistentry>
1164                    <term><userinput>retransfer <replaceable>zone</replaceable>
1165
1166                        <optional><replaceable>class</replaceable>
1167           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1168                    <listitem>
1169                      <para>
1170                        Retransfer the given zone from the master.
1171                      </para>
1172                    </listitem>
1173                  </varlistentry>
1174
1175                  <varlistentry>
1176                    <term><userinput>sign <replaceable>zone</replaceable>
1177                        <optional><replaceable>class</replaceable>
1178           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1179                    <listitem>
1180                      <para>
1181                        Fetch all DNSSEC keys for the given zone
1182                        from the key directory (see
1183                        <command>key-directory</command> in
1184                        <xref linkend="options"/>).  If they are within
1185                        their publication period, merge them into the
1186                        zone's DNSKEY RRset.  If the DNSKEY RRset
1187                        is changed, then the zone is automatically
1188                        re-signed with the new key set.
1189                      </para>
1190                      <para>
1191                        This command requires that the
1192                        <command>auto-dnssec</command> zone option be set
1193                        to <literal>allow</literal> or
1194                        <literal>maintain</literal>,
1195                        and also requires the zone to be configured to
1196                        allow dynamic DNS.
1197                        See <xref linkend="dynamic_update_policies"/> for
1198                        more details.
1199                      </para>
1200                    </listitem>
1201                  </varlistentry>
1202
1203                  <varlistentry>
1204                    <term><userinput>loadkeys <replaceable>zone</replaceable>
1205                        <optional><replaceable>class</replaceable>
1206           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1207                    <listitem>
1208                      <para>
1209                        Fetch all DNSSEC keys for the given zone
1210                        from the key directory (see
1211                        <command>key-directory</command> in
1212                        <xref linkend="options"/>).  If they are within
1213                        their publication period, merge them into the
1214                        zone's DNSKEY RRset.  Unlike <command>rndc
1215                        sign</command>, however, the zone is not
1216                        immediately re-signed by the new keys, but is
1217                        allowed to incrementally re-sign over time.
1218                      </para>
1219                      <para>
1220                        This command requires that the
1221                        <command>auto-dnssec</command> zone option
1222                        be set to <literal>maintain</literal>,
1223                        and also requires the zone to be configured to
1224                        allow dynamic DNS.
1225                        See <xref linkend="dynamic_update_policies"/> for
1226                        more details.
1227                      </para>
1228                    </listitem>
1229                  </varlistentry>
1230
1231                  <varlistentry>
1232                    <term><userinput>freeze
1233                        <optional><replaceable>zone</replaceable>
1234       <optional><replaceable>class</replaceable>
1235           <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1236                    <listitem>
1237                      <para>
1238                        Suspend updates to a dynamic zone.  If no zone is
1239                        specified,
1240                        then all zones are suspended.  This allows manual
1241                        edits to be made to a zone normally updated by dynamic
1242                        update.  It
1243                        also causes changes in the journal file to be synced
1244                        into the master
1245                        and the journal file to be removed.  All dynamic
1246                        update attempts will
1247                        be refused while the zone is frozen.
1248                      </para>
1249                    </listitem>
1250                  </varlistentry>
1251
1252                  <varlistentry>
1253                    <term><userinput>thaw
1254                        <optional><replaceable>zone</replaceable>
1255       <optional><replaceable>class</replaceable>
1256           <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1257                    <listitem>
1258                      <para>
1259                        Enable updates to a frozen dynamic zone.  If no zone
1260                        is
1261                        specified, then all frozen zones are enabled.  This
1262                        causes
1263                        the server …

Large files files are truncated, but you can click here to view the full file