I l@ve RuBoard • Table of Contents • Index • Reviews • Examples • Reader Reviews • Errata DNS and BIND, 4th Edition By Paul Albitz,Cricket Liu Publisher : O'Reilly Pub Date : April 2001 ISBN : 0-596-00158-4 Pages : 622 The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers and Domain Controllers I l@ve RuBoard I l@ve RuBoard I l@ve RuBoard • • • Table of Contents Table Index of Contents • • • • Index Reviews Reviews Examples • • • • Examples Reader Reviews Reader Errata Reviews • Errata DNS and BIND, 4th Edition DNS andCricket BIND, By Paul Albitz, Liu 4th Edition By Paul Albitz,Cricket Liu Publisher Publisher Pub Date Pub ISBNDate ISBN Pages Pages : O'Reilly :: April O'Reilly 2001 :: 0-596-00158-4 April 2001 :: 0-596-00158-4 622 : 622 Copyright Preface The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 Versions version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction What's New in the Fourth Edition? signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers Organization and Domain Controllers Audience Obtaining the Example Programs I l@ve RuBoard Contacting O'Reilly Conventions Used in This Book Quotations Acknowledgments Chapter Background Section 1.1 A (Very) Brief History of the Internet Section 1.2 On the Internet and internets Section 1.3 The Domain Name System in a Nutshell Section 1.4 The History of BIND Section 1.5 Must I Use DNS? Chapter How Does DNS Work? Section 2.1 The Domain Name Space Section 2.2 The Internet Domain Name Space Section 2.3 Delegation Section 2.4 Name Servers and Zones Section 2.5 Resolvers Section 2.6 Resolution Section 2.7 Caching Chapter Where Do I Start? Section 3.1 Getting BIND Section 3.2 Choosing a Domain Name Chapter Setting Up BIND Section 4.1 Our Zone I l@ve RuBoard Section 4.2 Setting Up Zone Data Section 4.3 Setting Up a BIND Configuration File Section 4.4 Abbreviations Section 4.5 Host Name Checking (BIND 4.9.4 and Later Versions) Section 4.6 Tools Section 4.7 Running a Primary Master Name Server Section 4.8 Running a Slave Name Server Section 4.9 Adding More Zones Section 4.10 What Next? Table of Contents • • • • • Index Chapter DNS and Electronic Mail Reviews Section 5.1 MX Records Examples SectionReader 5.2 What's a Mail Exchanger, Again? Reviews SectionErrata 5.3 The MX Algorithm • DNS Chapter and BIND, 4th Edition Configuring Hosts By Paul Albitz,Cricket Liu Section 6.1 The Resolver Section 6.2 Sample Resolver Configurations : O'Reilly Section 6.3 Minimizing Pain and Suffering Pub Date : April 2001 Section 6.4 Vendor -Specific Options ISBN : 0-596-00158-4 Publisher Pages : 622 Chapter Maintaining BIND Section 7.1 Controlling the Name Server Section 7.2 Updating Zone Data Files Section 7.3 Organizing Your Files The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 Section 7.4 Changing System File Locations in BIND and version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction Section 7.5.new Logging BIND and signatures, and the DNSinSecurity Extensions; and a section on accommodating Windows 2000 clients, servers Section 7.6 Keeping Everything Running Smoothly and Domain Controllers Chapter Growing Your Domain I l@ve RuBoard Section 8.1 How Many Name Servers? Section 8.2 Adding More Name Servers Section 8.3 Registering Name Servers Section 8.4 Changing TTLs Section 8.5 Planning for Disasters Section 8.6 Coping with Disaster Chapter Parenting Section 9.1 When to Become a Parent Section 9.2 How Many Children? Section 9.3 What to Name Your Children Section 9.4 How to Become a Parent: Creating Subdomains Section 9.5 Subdomains of in-addr.arpa Domains Section 9.6 Good Parenting Section 9.7 Managing the Transition to Subdomains Section 9.8 The Life of a Parent Chapter 10 Advanced Features Section 10.1 Address Match Lists and ACLs Section 10.2 DNS Dynamic Update Section 10.3 DNS NOTIFY (Zone Change Notification) Section 10.4 Incremental Zone Transfer (IXFR) Section 10.5 Forwarding Section 10.6 Views Section 10.7 Round Robin Load Distribution Section 10.8 Name Server Address Sorting Section 10.9 Preferring Name Servers on Certain Networks I l@ve RuBoard Section 10.10 A Nonrecursive Name Server Section 10.11 Avoiding a Bogus Name Server Section 10.12 System Tuning Section 10.13 Compatibility Section 10.14 The ABCs of IPv6 Addressing Section 10.15 Addresses and Ports Section 10.16 IPv6 Forward and Reverse Mapping • • • • • • Chapter 11 Security Table of Contents Section 11.1 TSIG Index Section 11.2 Securing Your Name Server Reviews Section 11.3 DNS and Internet Firewalls Examples SectionReader 11.4 Reviews The DNS Security Extensions Errata Chapter 12 nslookup and dig DNS and BIND, 4th Edition Section 12.1 Is nslookup a Good Tool? By Paul Albitz,Cricket Liu Section 12.2 Interactive Versus Noninteractive Section 12.3 Option Settings : O'Reilly Section 12.4 Avoiding the Search List Pub Date : April 2001 Section 12.5 Common Tasks ISBN : 0-596-00158-4 Section 12.6 Less Common Tasks Pages : 622 Section 12.7 Troubleshooting nslookup Problems Publisher Section 12.8 Best of the Net Section 12.9 Using dig The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 Chapter 13 Reading BIND Debugging Output version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction Section 13.1 Debugging Levels Extensions; and a section on accommodating Windows 2000 clients, servers signatures, and the new DNS Security Section 13.2 Turning On Debugging and Domain Controllers Section 13.3 Reading Debugging Output Section 13.4 The Resolver Search Algorithm and Negative Caching (BIND 8) I l@ve RuBoard Section 13.5 The Resolver Search Algorithm and Negative Caching (BIND 9) Section 13.6 Tools Chapter 14 Troubleshooting DNS and BIND Section 14.1 Is NIS Really Your Problem? Section 14.2 Troubleshooting Tools and Techniques Section 14.3 Potential Problem List Section 14.4 Transition Problems Section 14.5 Interoperability and Version Problems Section 14.6 TSIG Errors Section 14.7 Problem Symptoms Chapter 15 Programming with the Resolver and Name Server Library Routines Section 15.1 Shell Script Programming with nslookup Section 15.2 C Programming with the Resolver Library Routines Section 15.3 Perl Programming with Net::DNS Chapter 16 Miscellaneous Section 16.1 Using CNAME Records Section 16.2 Wildcards Section 16.3 A Limitation of MX Records Section 16.4 Dialup Connections Section 16.5 Network Names and Numbers Section 16.6 Additional Resource Records Section 16.7 DNS and WINS Section 16.8 DNS and Windows 2000 I l@ve RuBoard Appendix A DNS Message Format and Resource Records Section A.1 Master File Format Section A.2 DNS Messages Section A.3 Resource Record Data Appendix B BIND Compatibility Matrix Appendix C Compiling and Installing BIND on Linux Section C.1 Instructions for BIND 8.2.3 • • • • • • Section C.2 Instructions for BIND 9.1.0 Table of Contents AppendixIndex D Top-Level Domains AppendixReviews E BIND Name Server and Resolver Configuration Examples Section E.1 BIND Name Server Boot File Directives and Configuration File Statements Reader Reviews Section E.2 BIND Boot File Directives Errata Section E.3 BIND Configuration File Statements DNS and BIND, 4th9Edition Section E.4 BIND Configuration File Statements By Paul Albitz, Cricket Section E.5.LiuBIND Resolver Statements Publisher : O'Reilly Colophon Pub Date Index: April 2001 ISBN : 0-596-00158-4 I l@ve RuBoard Pages : 622 The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers and Domain Controllers I l@ve RuBoard I l@ve RuBoard I l@ve RuBoard Copyright Copyright © 2001 O'Reilly & Associates, Inc All rights reserved Printed in the United States of America Published by O'Reilly & Associates, Inc., 101 Morris Street, Sebastopol, CA 95472 • Table of Contents Nutshell Handbook, • Indexthe Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly & Associates, Inc.Reviews Many of the designations used by manufacturers and sellers to distinguish their products are • claimed as trademarks • Examples Where those designations appear in this book, and O'Reilly & Associates, Inc was aware of a theReviews designations have been printed in caps or initial caps The association between the image of • trademark claim, Reader grasshoppers and the topic of DNS and BIND is a trademark of O'Reilly & Associates, Inc • Errata DNS andprecaution BIND, 4th While every has Edition been taken in the preparation of this book, the publisher assumes no responsibility for By Paul or Albitz, Cricket Liu errors omissions, or for damages resulting from the use of the information contained herein Publisher : O'Reilly I l@ve RuBoard Pub Date : April 2001 ISBN : 0-596-00158-4 Pages : 622 The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers and Domain Controllers I l@ve RuBoard I l@ve RuBoard I l@ve RuBoard Preface You may not know much about the Domain Name System—yet—but whenever you use the Internet, you use DNS Every time you send electronic mail or surf the World Wide Web, you rely on the Domain Name System You see, while you, as a human being, prefer to remember the names of computers, computers like to address each other by number On an internet, that number is 32 bits long, or between zero and four billion or so.[] That's • Table of easy for a computer to Contents remember because computers have lots of memory ideal for storing numbers, but it isn't • nearly as easy Index for us humans Pick 10 phone numbers out of the phone book at random and then try to remember • Reviews them Not easy? Now flip to the front of the phone book and attach random area codes to the phone numbers That's about how • Examples difficult it would be to remember 10 arbitrary internet addresses • • Reader Reviews [] And, with IP Version 6, it's a whopping 128 bits long, or between zero and a decimal number with 39 Errata digits DNS and BIND, 4th Edition This is Albitz, part of the reason we need the Domain Name System DNS handles mapping between host names, which By Paul Cricket Liu we humans find convenient, and between internet addresses, which computers deal with In fact, DNS is the standard Publisher mechanism : O'Reilly on the Internet for advertising and accessing all kinds of information about hosts, not just addresses And DNS is used by virtually all internetworking software, including electronic mail, remote terminal Pub Date : April 2001 programs such as Telnet, file transfer programs such as FTP, and web browsers such as Netscape Navigator and ISBN : 0-596-00158-4 Microsoft Internet Explorer Pages : 622 Another important feature of DNS is that it makes host information available all over the Internet Keeping information about hosts in a formatted file on a single computer only helps users on that computer DNS provides a means of retrieving information remotely from anywhere on the network The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 More than that, DNS lets you distribute the management hostforward information among mapping, many sites and organizations version There's also more extensive coverage of NOTIFY,of IPv6 and reverse transaction You don't need to submit your data to some central site or periodically retrieve copies of the "master" database signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers You simply make sure your section, called a zone, is up to date on your name servers Your name servers make and Domain Controllers your zone's data available to all the other name servers on the network I l@ve RuBoard Because the database is distributed, the system also needs the ability to locate the data you're looking for by searching a number of possible locations The Domain Name System gives name servers the intelligence to navigate through the database and find data in any zone Of course, DNS does have a few problems For example, the system allows more than one name server to store data about a zone, for redundancy's sake But inconsistencies can crop up between copies of the zone data But the worst problem with DNS is that despite its widespread use on the Internet, there's really very little documentation about managing and maintaining it Most administrators on the Internet make with the documentation their vendors see fit to provide and with whatever they can glean from following the Internet mailing lists and Usenet newsgroups on the subject This lack of documentation means that the understanding of an enormously important internet service—one of the linchpins of today's Internet—is either handed down from administrator to administrator like a closely guarded family recipe, or relearned repeatedly by isolated programmers and engineers New administrators of zones suffer through the same mistakes made by countless others Our aim with this book is to help remedy this situation We realize that not all of you have the time or the desire to become DNS experts Most of you, after all, have plenty to besides managing your zones and name servers: system administration, network engineering, or software development It takes an awfully big institution to devote a whole person to DNS We'll try to give you enough information to let you what you need to do, whether that's running a small zone or managing a multinational monstrosity, tending a single name server or shepherding a hundred of them Read as much as you need to know now, and come back later if you need to learn more DNS is a big topic—big enough to require two authors, anyway—and we've tried to present it as sensibly and understandably as possible The first two chapters give you a good theoretical overview and enough practical information to get by, and later chapters fill in the nitty-gritty details We provide a roadmap up front to suggest a path through the book appropriate for your job or interest When we talk about actual DNS software, we'll concentrate almost exclusively on BIND, the Berkeley Internet Name Domain software, which is the most popular implementation of the DNS specs (and the one we know best) I l@ve RuBoard We've tried to distill our experience in managing and maintaining zones with BIND into this book (One of our zones, incidentally, was once one of the largest on the Internet, but that was a long time ago.) Where possible, we've included the real programs we use in administration, many of them rewritten into Perl for speed and efficiency We hope this book will help you get acquainted with DNS and BIND if you're just starting out, refine your understanding if you're already familiar with them, and provide valuable insight and experience even if you know 'em like the back of your hand I l@ve RuBoard • Table of Contents • Index • Reviews • Examples • Reader Reviews • Errata DNS and BIND, 4th Edition By Paul Albitz,Cricket Liu Publisher : O'Reilly Pub Date : April 2001 ISBN : 0-596-00158-4 Pages : 622 The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers and Domain Controllers I l@ve RuBoard I l@ve RuBoard I l@ve RuBoard Versions The fourth edition of this book deals with the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 versions While 9.1.0 and 8.2.3 are the most recent versions as of this writing, they haven't made their way into many vendors' versions of Unix yet, partly because both versions have only recently been released and many vendors are wary of using such new software We also occasionally mention other versions of BIND, especially 4.8.3, because many vendors continue to ship code based on this older software as part of their Unix products • Table is of available Contents only in the 4.9, 8.2.3, or 9.1.0 version, or when there is a difference in the Whenever a feature • Index behavior of the versions, we try to point out which version does what • Reviews We use nslookup, • Examples a name server utility program, very frequently in our examples The version we use is the one shipped with the 8.2.3Reviews BIND code Older versions of nslookup provide much, but not quite all, of the functionality in • Reader [] the 8.2.3 nslookup • Errata We've used commands common to most nslookup sin most of our examples; when this was not possible, we tried to note it DNS and BIND, 4th Edition By Paul[]Albitz, Liu of the version of nslookup shipped with BIND See Chapter 12, for details This Cricket is also true Publisher : O'Reilly I l@ve RuBoard Pub Date : April 2001 ISBN : 0-596-00158-4 Pages : 622 The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers and Domain Controllers I l@ve RuBoard I l@ve RuBoard I l@ve RuBoard What's New in the Fourth Edition? Besides updating the book to cover the most recent versions of BIND, we've added a fair amount of new material to the fourth edition: • More extensive coverage of dynamic update and NOTIFY, including signed dynamic updates and BIND 9's Table of Contents newupdate-policy mechanism, in Chapter 10 • • • • Index Incremental zone transfer, also in Chapter 10 Reviews Examples Forward zones, which support conditional forwarding, in Chapter 10 Reader Reviews • Errata IPv6 forward and reverse mapping using the new A6 and DNAME records, as well as bitstring labels, at the of Chapter DNSend and BIND,104th Edition By Paul Albitz,Cricket Liu Transaction signatures, also known as TSIG, a new mechanism for authenticating transactions, in Chapter 11 Publisher : O'Reilly Pub Date : April 2001 An expanded section on securing name servers, in Chapter 11 ISBN An expanded : 0-596-00158-4 section on dealing with Internet firewalls, in Chapter 11 Pages : 622 Coverage of the DNS Security Extensions, or DNSSEC, a new mechanism for digitally signing zone data, also in Chapter 11 A section on accommodating Windows 2000 clients, servers, and Domain Controllers with BIND, in Chapter The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 16 version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers Domain Controllers Iand l@ve RuBoard I l@ve RuBoard I l@ve RuBoard I l@ve RuBoard E.3 BIND Configuration File Statements E.3.1 acl Function: • • Table of Contents Creates a named address match list Index • Syntax: Reviews • Examples acl name { • address_match_list; Reader Reviews • }; Errata DNS and BIND, 4th Edition Covered in Chapter 10, and Chapter 11 By Paul Albitz,Cricket Liu Publisher : O'Reilly E.3.2 controls (8.2+) Pub Date : April 2001 ISBN Function: : 0-596-00158-4 Pages : 622 Configures a channel used by ndc to control the name server Syntax: controls The fourth {edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 [ inet ( ip_addr | *extensive ) port ip_port address_match_list; ] version There's also more coverage allow of NOTIFY, IPv6 forward and reverse mapping, transaction [ unix path_name perm number owner number group number; ] signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers }; and Domain Controllers Covered in Chapter I l@ve RuBoard E.3.3 include Function: Inserts the specified file at the point that the include statement is encountered Syntax: include path_name; Covered in Chapter E.3.4 key (8.2+) Function: Defines a key ID that can be used in a server statement or an address match list to associate a TSIG key with a particular name server Syntax: key key_id { algorithm algorithm_id; secret secret_string; }; Covered in Chapter 10, and Chapter 11 E.3.5 I l@velogging RuBoard Function: Configures the name server's logging behavior Syntax: logging { [ channel channel_name { ( file path_name [ versions number | unlimited ) ] • Table of( Contents [ size size_spec ] • Index | syslog ( kern | user | mail | daemon | auth | syslog | lpr | • Reviews news | uucp | cron | authpriv | ftp | • Examples local0 | local1 | local2 | local3 | • Reader Reviews local4 | local5 | local6 | local7 ) • Errata | null ); DNS and BIND, 4th Edition By Paul [ Albitz, severity Cricket ( Liu critical | error | warning | notice | info | debug [ level ] | dynamic ); ] [ print-category yes_or_no; ] Publisher : O'Reilly [ print-severity yes_or_no; ] Pub Date : April 2001 [ print-time yes_or_no; ] ISBN : 0-596-00158-4 }; ] Pages : 622 [ category category_name { channel_name; [ channel_name; ] }; ] The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction }; signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers and Domain Covered in Chapter Controllers I l@ve RuBoard E.3.6 options Function: Configures global options Syntax: options { [ allow-query { address_match_list }; ] [ allow-recursion { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ also-notify { ip_addr; [ ip_addr; ] }; ] [ auth-nxdomain yes_or_no; ] [ blackhole { address_match_list }; ] [ check-names ( master | slave | response ) ( warn | fail | ignore ); ] [ cleaning-interval number; ] [ coresize size_spec; ] [ datasize size_spec; ] [ deallocate-on-exit yes_or_no; ] [ dialup yes_or_no; ] [ directory path_name; ] [ dump-file path_name; ] [ fake-iquery yes_or_no; ] [ fetch-glue yes_or_no; ] [ files size_spec; ] [ forward ( only | first ); ] [ forwarders { [ ip_addr ; [ ip_addr ; ] ] }; ] [ has-old-clients yes_or_no; ] [ heartbeat-interval number; ] [ host-statistics yes_or_no; ] I l@ve RuBoard [ interface-interval number; ] [ lame-ttl number; ] [ listen-on [ port ip_port ] { address_match_list }; ] [ maintain-ixfr-base yes_or_no; ] [ max-ixfr-log-size number; ] [ max-ncache-ttl number; ] [ max-transfer-time-in number; ] [ memstatistics-file path_name; ] [ min-roots number; ] [ multiple-cnames yes_or_no; ] • Table of Contents [ named-xfer path_name; ] • Index [ notify yes_or_no; ] • [ pid-file Reviews path_name; ] • [ query-source Examples [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ] • [ recursionReader Reviews ] yes_or_no; • [ rfc2308-type1 Errata yes_or_no; ] [ rrset-order { order_spec; [ order_spec; ] }; ] DNS and BIND, 4th Edition [ serial-queries By Paul Albitz,Cricket Liu number; ] [ sortlist { address_match_list }; ] [ stacksize size_spec; ] Publisher : O'Reilly [ statistics-file path_name; ] Pub Date : April 2001 [ statistics-interval number; ] ISBN : 0-596-00158-4 [ topology { address_match_list }; ] Pages : 622 [ transfer-format ( one-answer | many-answers ); ] [ transfer-source ( ip_addr | * ); ] [ transfers-in number; ] [ transfers-per-ns number; ] [ fourth treat-cr-as-space yes_or_no; ] the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 The edition of DNS and BIND covers [ use-id-pool yes_or_no; ] version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction [ use-ixfr signatures, and yes_or_no; the new DNS] Security Extensions; and a section on accommodating Windows 2000 clients, servers [ Domain versionControllers version_string; ] and }; I l@ve RuBoard Covered in Chapter 4,Chapter 10,Chapter 11, and Chapter 16 E.3.7 server Function: Defines the characteristics to be associated with a remote name server Syntax: server ip_addr { [ bogus yes_or_no; ] [ keys { key_id [ key_id ] }; ] [ support-ixfr yes_or_no; ] [ transfer-format ( one-answer | many-answers ); ] }; Covered in Chapter 10, and Chapter 11 E.3.8 trusted-keys (8.2+) Function: Configures the public keys of security roots for use in DNSSEC Syntax: trusted-keys { domain-name flags protocol_id algorithm_id public_key_string; [ domain-name flags protocol_id algorithm_id public_key_string; [ ] ] I};l@ve RuBoard Covered in Chapter 11 E.3.9 zone Function: • Configures the zones maintained by the name server Table of Contents • Index Syntax: • Reviews [ ( in | hs | hesiod | chaos ) ] { zone "domain_name" • type master; Examples • file path_name; Reader Reviews • [ allow-query Errata { address_match_list }; ] [ allow-transfer { address_match_list }; ] DNS and BIND, 4th Edition [ allow-update { address_match_list }; ] By Paul Albitz,Cricket Liu [ also-notify { ip_addr; [ ip_addr; ] [ check-names ( warn | fail | ignore ); ] Publisher [ dialup: O'Reilly yes_or_no | notify; ] Pub : April 2001 | first ); ] [ Date forward ( only ISBN : 0-596-00158-4 [ forwarders { [ ip_addr; [ ip_addr; ] ] }; ] Pages : 622 path_name; ] [ ixfr-base [ ixfr-tmp-file path_name; ] [ maintain-ixfr-base yes_or_no; ] [ notify yes_or_no; ] [ pubkeyedition flagsofprotocol_id public_key_string; ] The fourth DNS and BINDalgorithm_id covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 }; version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers zone "domain_name" [ ( in | hs | hesiod | chaos ) ] { and Domain Controllers type slave; masters [ port ip_port ] { ip_addr; [ ip_addr; ] }; I l@ve RuBoard [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ allow-update { address_match_list }; ] [ also-notify { ip_addr; [ ip_addr; ] }; [ check-names ( warn | fail | ignore ); ] [ dialup yes_or_no; ] [ file path_name; ] [ forward ( only | first ); ] [ forwarders { [ ip_addr; [ ip_addr; ] ] }; ] [ ixfr-base path_name; ] [ max-transfer-time-in number; ] [ notify yes_or_no; ] [ pubkey flags protocol_id algorithm_id public_key_string; ] [ transfer-source ip_addr; ] }; zone "domain_name" [ ( in | hs | hesiod | chaos ) ] { type stub; masters [ port ip_port ] { ip_addr; [ ip_addr; ] }; [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ allow-update { address_match_list }; ] [ check-names ( warn | fail | ignore ); ] [ dialup yes_or_no; ] [ file path_name; ] [ forward ( only | first ); ] [ forwarders { [ ip_addr ; [ ip_addr ; ] ] }; ] [ max-transfer-time-in number; ] [ pubkey flags protocol_id algorithm_id public_key_string; ] [ transfer-source ip_addr; ] I};l@ve RuBoard zone "domain_name" [ ( in | hs | hesiod | chaos ) ] { type forward; [ forward ( only | first ); ] [ forwarders { [ ip_addr ; [ ip_addr ; ] ] }; ] }; zone "." [ ( in | hs | hesiod | chaos ) ] { type hint; • Table of Contents file path_name; • [ check-names Index ( warn | fail | ignore ); ] • Reviews }; • Examples • Reader Covered in Chapter 4, Reviews and Chapter 10 • Errata DNS and BIND, 4th Edition I l@ve RuBoard By Paul Albitz,Cricket Liu Publisher : O'Reilly Pub Date : April 2001 ISBN : 0-596-00158-4 Pages : 622 The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers and Domain Controllers I l@ve RuBoard I l@ve RuBoard I l@ve RuBoard E.4 BIND Configuration File Statements E.4.1 acl Function: • • Table of Contents Creates a named address match list Index • Syntax: Reviews • Examples acl name { • address_match_list; Reader Reviews • }; Errata DNS and BIND, 4th Edition Covered in Chapter 10, and Chapter 11 By Paul Albitz,Cricket Liu Publisher : O'Reilly E.4.2 controls Pub Date : April 2001 ISBN Function: : 0-596-00158-4 Pages : 622 Configures a channel used by rndcto control the name server Syntax: controls The fourth {edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 [ inet ( ip_addr | *extensive ) port ip_port address_match_list key_list; version There's also more coverage allow of NOTIFY, IPv6 forward and keys reverse mapping, ]transaction [ inet ; ] signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers }; and Domain Controllers Covered in Chapter I l@ve RuBoard E.4.3 include Function: Inserts the specified file at the point that the include statement is encountered Syntax: include path_name; Covered in Chapter E.4.4 key Function: Defines a key ID that can be used in a server statement or an address match list to associate a TSIG key with a pa Syntax: key key_id { algorithm algorithm_id; secret secret_string; }; Covered in Chapter 10, and Chapter 11 E.4.5 logging I l@ve RuBoard Function: Configures the name server's logging behavior Syntax: logging { [ channel channel_name { ( file path_name [ versions ( number | unlimited ) ] • Table of Contents [ size size_spec ] • | syslogIndex ( kern | user | mail | daemon | auth | syslog | lpr | • Reviews news | uucp | cron | authpriv | ftp | • Examples local0 | local1 | local2 | local3 | • Reader Reviews local4 | local5 | local6 | local7 ) • Errata | stderr null BIND, ); DNS|and 4th Edition By Paul Albitz,Cricket Liu [ severity ( critical | error | warning | notice | info | debug [ level ] | dynamic ); ] Publisher : O'Reilly [ print-category yes_or_no; ] Pub Date : April 2001 yes_or_no; ] [ print-severity ISBN [ print-time : 0-596-00158-4 yes_or_no; ] Pages : 622 }; ] [ category category_name { channel_name; [ channel_name; ] }; ] The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction }; signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers and Domain Controllers Covered in Chapter I l@ve RuBoard E.4.6 options Function: Configures global options Syntax: options { [ additional-from-auth yes_or_no; ] [ additional-from-cache yes_or_no; ] [ allow-notify { address_match_list }; ] [ allow-query { address_match_list }; ] [ allow-recursion { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ also-notify { ip_addr [ port ip_port ] ; [ ip_addr [ port ip_port ] ; ] }; ] [ auth-nxdomain yes_or_no; ] [ blackhole { address_match_list }; ] [ cleaning-interval number; ] [ coresize size_spec; ] [ datasize size_spec; ] [ dialup yes_or_no; ] [ directory path_name; ] [ dump-file path_name; ] [ files size_spec; ] [ forward ( only | first ); ] [ forwarders { [ ip_addr ; [ ip_addr ; ] ] }; ] [ heartbeat-interval number; ] [ interface-interval number; ] [ lame-ttl number; ] I l@ve RuBoard [ port ip_port ] { address_match_list }; ] [ listen-on [ listen-on-v6 [ port ip_port ] { address_match_list }; ] [ max-cache-ttl number; ] [ max-ncache-ttl number; ] [ max-refresh-time number; ] [ max-retry-time number; ] [ max-transfer-idle-in number; ] [ max-transfer-idle-out number; ] [ max-transfer-time-in number; ] [ max-transfer-time-out number; ] • Table of Contents [ min-refresh-time number; ] • Index [ min-retry-time number; ] • Reviews [ notify yes_or_no | explicit; ] • [ notify-source Examples ( ip_addr | * ) [ port ip_port ]; ] • [ notify-source-v6 Reader Reviews ( ip6_addr | * ) [ port ip_port ]; ] • [ pid-file Errata path_name; ] [ port ip_port; DNS and BIND,]4th Edition [ query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ] By Paul Albitz,Cricket Liu [ query-source-v6 [ address ( ip6_addr | * ) ] [ port ( ip_port | * ) ]; ] [ recursion yes_or_no; ] Publisher : O'Reilly [ recursive-clients number; ] Pub Date : April 2001 [ sig-validity-interval number; ] ISBN : 0-596-00158-4 [ sortlist { address_match_list }; ] Pages : 622 size_spec; ] [ stacksize [ statistics-file path_name; ] [ tcp-clients number; ] [ tkey-dhkey key_name key_tag; ] [ fourth tkey-domain domain_name; The edition of DNS and BIND] covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 [ transfer-format ( one-answer | many-answers ] forward and reverse mapping, transaction version There's also more extensive coverage of NOTIFY,);IPv6 [ transfer-source ip_addr | *Extensions; ) [ port and ip_port ]; ]on accommodating Windows 2000 clients, servers signatures, and the new(DNS Security a section [ Domain transfer-source-v6 ( ip6_addr | * ) [ port ip_port ]; ] and Controllers [ transfers-in number; ] [ transfers-out number; ] I l@ve RuBoard [ transfers-per-ns number; ] [ version version_string; ] [ zone-statistics yes_or_no; ] }; Covered in Chapter 4,Chapter 10,Chapter 11, and Chapter 16 E.4.7 server Function: Defines the characteristics to be associated with a remote name server Syntax: server ip_addr { [ bogus yes_or_no; ] [ keys { key_id [ key_id ] }; ] [ provide-ixfr yes_or_no; ] [ request-ixfr yes_or_no; ] [ transfers number; ] [ transfer-format ( one-answer | many-answers ); ] }; Covered in Chapter 10, and Chapter 11 E.4.8 trusted-keys Function: I l@ve RuBoard Configures the public keys of security roots for use in DNSSEC Syntax: trusted-keys { domain-name flags protocol_id algorithm_id public_key_string; [ domain-name flags protocol_id algorithm_id public_key_string; [ ] ] }; Covered in Chapter 11 • Table of Contents • Index • E.4.9 view Reviews • Examples • Function: Reader Reviews • Errata Creates and configures a view DNS and BIND, 4th Edition By Paul Albitz,Cricket Liu Syntax: view "view_name" [ ( in | hs | hesiod | chaos ) ] { Publisher : O'Reilly{ address_match_list }; match-clients Pub [ Date allow-notify : April 2001 { address_match_list }; ] [ allow-query { address_match_list }; ] ISBN : 0-596-00158-4 [ allow-recursion { address_match_list }; ] Pages : 622 [ allow-transfer { address_match_list }; ] [ also-notify { ip_addr; [ ip_addr; ] }; ] [ auth-nxdomain yes_or_no; ] [ cleaning-interval number; ] The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 [ forward ( only | first ); ] version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction [ forwarders { [ ip_addr; [ ip_addr; ] ] }; ] signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers [ key ] and Domain Controllers [ lame-ttl number; ] [ min-refresh-time number; ] I l@ve RuBoard [ min-retry-time number; ] [ max-cache-ttl number; ] [ max-ncache-ttl number; ] [ max-transfer-idle-out number; ] [ max-transfer-time-out number; ] [ max-refresh-time number; ] [ max-retry-time number; ] [ notify yes_or_no | explicit; ] [ provide-ixfr yes_or_no; ] [ query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ] [ query-source-v6 [ address ( ip6_addr | * ) ] [ port ( ip_port | * ) ]; ] [ recursion yes_or_no; ] [ request-ixfr yes_or_no; ] [ server ] [ sig-validity-interval number; ] [ sortlist { address_match_list }; ] [ transfer-format ( one-answer | many-answers ); ] [ transfer-source ( ip_addr | * ) [ port ip_port ]; ] [ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ]; ] [ trusted-keys ] [ zone ] }; Covered in Chapter 10, and Chapter 11 E.4.10 zone Function: the zones maintained by the name server I l@ve Configures RuBoard Syntax: zone "domain_name" [ ( in | hs | hesiod | chaos ) ] { type master; file path_name; [ allow-notify { address_match_list }; ] [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ allow-update { address_match_list }; ] • [ allow-update-forwarding Table of Contents { address_match_list }; ] { ip_addr [ port ip_port ]; [ ip_addr [ port ip_port ]; ] • [ also-notify Index string; [ string; ] ] • [ database Reviews • [ dialup yes_or_no Examples | notify; ] [ forward ( only Reviews | first ); ] • Reader [ forwarders { [ ip_addr; [ ip_addr; ] ] }; ] • Errata [ max-refresh-time number; ] DNS and BIND, 4th Edition [ max-retry-time number; ] By Paul Albitz, Cricket Liu [ max-transfer-idle-out number; ] [ max-transfer-time-out number; ] [ min-refresh-time number; ] Publisher : O'Reilly [ Date min-retry-time Pub : April 2001 number; ] [ notify: 0-596-00158-4 yes_or_no | explicit; ] ISBN [ sig-validity-interval number; ] Pages : 622 [ update-policy { update_policy_rule; [ ] }; ] }; zone "domain_name" [ ( in | hs | hesiod | chaos ) ] { The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 type slave; version There's alsoip_port more extensive coverage of NOTIFY, IPv6 and reverse masters [ port ] { ip_addr [ port ip_port ] forward [ key key_id ]; [mapping, ip_addr transaction [ port ip_port ] [ key signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers [ allow-query { address_match_list }; ] and Controllers [ Domain allow-transfer { address_match_list }; ] [ allow-update { address_match_list }; ] I l@ve RuBoard [ allow-update-forwarding { address_match_list }; ] [ also-notify { ip_addr [ port ip_port ]; [ ip_addr [ port ip_port ]; ] }; [ dialup yes_or_no | notify | notify-passive | refresh | passive; ] [ file path_name; ] [ forward ( only | first ); ] [ forwarders { [ ip_addr; [ ip_addr; ] ] }; ] [ max-refresh-time number ; ] [ max-retry-time number ; ] [ max-transfer-idle-in number; ] [ max-transfer-idle-out number; ] [ max-transfer-time-in number; ] [ max-transfer-time-out number; ] [ min-refresh-time number ; ] [ min-retry-time number ; ] [ notify yes_or_no | explicit; ] [ transfer-source ( ip_addr | * ) [ port ip_port ]; ] [ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ]; ] }; zone "domain_name" [ ( in | hs | hesiod | chaos ) ] { type stub; masters [ port ip_port ] { ip_addr [ [port ip_port ] [ key key_id ]; [ ip_addr [ port ip_port ] [ key key_id ]; ] }; [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ allow-update { address_match_list }; ] [ allow-update-forwarding { address_match_list }; ] [ dialup yes_or_no | passive | refresh; ] [ file path_name; ] I l@ve RuBoard( only | first ); ] [ forward [ [ [ [ [ [ [ [ [ • [ • [ • }; forwarders { [ ip_addr ; [ ip_addr ; ] ] }; ] max-refresh-time number ; ] max-retry-time number ; ] max-transfer-idle-in number; ] max-transfer-idle-out number; ] max-transfer-time-in number; ] max-transfer-time-out number; ] min-refresh-time number ; ] min-retry-time number ; ] Table of Contents transfer-source ( ip_addr | * ) [ port ip_port ]; ] Index transfer-source-v6 ( ip6_addr | * ) [ port ip_port ]; ] • Reviews Examples • Reader Reviews zone "domain_name" [ ( in | hs | hesiod | chaos ) ] { • type forward; Errata [ forward ( only 4th | first ); ] DNS and BIND, Edition [ forwarders { Liu [ ip_addr ; [ ip_addr ; ] ] }; ] By Paul Albitz,Cricket }; Publisher zone "." [: O'Reilly ( in | hs | hesiod | chaos ) ] { Pub Datehint; : April 2001 type ISBN : 0-596-00158-4 file path_name; Pages : 622 }; Covered in Chapter 4, and Chapter 10 The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 I l@ve RuBoard version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers and Domain Controllers I l@ve RuBoard I l@ve RuBoard I l@ve RuBoard E.5 BIND Resolver Statements The following statements are for the resolver configuration file, /etc/resolv.conf E.5.1 domain • Table of Contents • Index Function: • Reviews Defines your resolver's local domain name • Examples • Reader Reviews Syntax: domain domain-name • Errata Example: DNS and BIND, 4th Edition domain corp.hp.com By Paul Albitz,Cricket Liu Covered in Chapter Publisher : O'Reilly Pub Date : April 2001 ISBN search E.5.2 : 0-596-00158-4 Pages : 622 Function: Defines your resolver's local domain name and search list The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 Syntax: version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction search local-domain-name next-domain-name-in-search-list signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers last-domain-name-in-search-list and Domain Controllers Example: search corp.hp.com pa.itc.hp.com hp.com I l@ve RuBoard Covered in Chapter E.5.3 nameserver Function: Tells your resolver to query a particular name server Syntax: nameserver IP-address Example: nameserver 15.255.152.4 Covered in Chapter E.5.4 ; and # (4.9+) Function: Adds a comment to the resolver configuration file Syntax: ; free-format-comment or # free-format-comment I l@ve RuBoard Example: # Added parent domain to search list for compatibility with 4.8.3 Covered in Chapter E.5.5 sortlist (4.9+) Function: • • Table of Contents Specifies networks for your resolver to prefer Index • Syntax: Reviews • Examples sortlist network-list • Reader Reviews Example: • Errata sortlist 128.32.4.0/255.255.255.0 15.0.0.0 DNS and BIND, 4th Edition Covered in Chapter By Paul Albitz,Cricket Liu Publisher : O'Reilly E.5.6 options ndots (4.9+) Pub Date : April 2001 ISBN Function: : 0-596-00158-4 Pages : 622 Specifies the number of dots an argument must have in it so that the resolver will look it up before applying the search list Syntax: The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 options ndots:number-of-dots version There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction Example: signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers options ndots:1 and Domain Controllers Covered in Chapter I l@ve RuBoard E.5.7 options debug (4.9+) Function: Turns on debugging output in the resolver Syntax: options debug Example: options debug Covered in Chapter E.5.8 options no-check-names (8.2+) Function: Turns off name checking in the resolver Syntax: options no-check-names Example: options no-check-names Covered in Chapter E.5.9 I l@veoptions RuBoardattempts (8.2+) Function: Specifies the number of times the resolver should query each name server Syntax: options attempts:number-of-attempts Example: options attempts:2 • Table of Contents Covered in Chapter • Index6 • Reviews • Examples • Reader Reviews • Errata E.5.10 options timeout (8.2+) Function: DNS and BIND, 4th Edition By Paul Specifies Albitz,Cricket the Liu resolver's per-name server timeout Syntax: options Publisher timeout:timeout-in-seconds : O'Reilly Example: Pub Date : April 2001 options timeout:1 ISBN : 0-596-00158-4 Pages : 622 Covered in Chapter E.5.11 options rotate (8.2+) The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 version Function:There's also more extensive coverage of NOTIFY, IPv6 forward and reverse mapping, transaction signatures, and the new DNS Security Extensions; and a section on accommodating Windows 2000 clients, servers and Domain Controllers Rotates the order in which the resolver queries name servers ISyntax: l@ve RuBoard options rotate Example: options rotate Covered inChapter I l@ve RuBoard I l@ve RuBoard Colophon Our look is the result of reader comments, our own experimentation, and feedback from distribution channels Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects The insects featured • Table of onContents the cover of DNS and BIND are grasshoppers Grasshoppers are found all over the globe Of over 5000 species, • Index 100 different grasshopper species are found in North America Grasshoppers are greenishbrown, and range in length from a half inch to four inches, with wingspans of up to six inches Their bodies are • Reviews divided into three sections: the head, thorax, and abdomen, with three pairs of legs and two pairs of wings • Examples • Reader Reviews Male grasshoppers use their hind legs and forewings to produce a "chirping" sound Their hind legs have a ridge of • Errata small pegs that are rubbed across a hardened vein in the forewing, causing an audible vibration much like a bow DNS and across BIND,a string 4th Edition being drawn By Paul Albitz,Cricket Liu Grasshoppers are major crop pests, particularly when they collect in swarms A single grasshopper can consume 30mg of food a day In collections of 50 or more grasshoppers per square yard-a density often reached during Publisher : O'Reilly grasshopper outbreaks-grasshoppers consume as much as a cow would per acre In addition to consuming foliage, Pub Date : April 2001 grasshoppers damage plants by attacking them at vulnerable points and causing the stems to break off ISBN : 0-596-00158-4 Pages : 622the production editor and proofreader for DNS and BIND, Fourth Edition Leanne Soylemez was the Emily Quill was copyeditor, and also provided production assistance Catherine Morris and Matt Hutchinson performed quality control reviews Brenda Miller wrote the index Production assistance was provided by Edith Shapiro and Sada Preisch The fourth edition of DNS and BIND covers the new 9.1.0 and 8.2.3 versions of BIND as well as the older 4.9 Edie Freedman the cover of coverage this book,ofusing a 19th-century engraving frommapping, the Dover Pictorial Archive version There'sdesigned also more extensive NOTIFY, IPv6 forward and reverse transaction Emma Colbyand andthe Erica produced the cover and layout with Quark™XPress 4.1 using Adobe's ITCclients, Garamond signatures, newCorwell DNS Security Extensions; a section on accommodating Windows 2000 servers font and Domain Controllers David Futato and Melanie Wang designed the interior layout, based on a series design by Nancy Priest Anne-Marie I l@ve RuBoard Vaduva converted the files from Microsoft Word to FrameMaker 5.5.6 using tools created by Mike Sierra The text and heading fonts are ITC Garamond Light and Garamond Book; the code font is Constant Willison The illustrations that appear in this book were produced by Robert Romano and Jessamyn Read using Macromedia Freehand and Adobe Photoshop This colophon was written by Clairemarie Fisher O'Leary The online edition of this book was created by the Safari production group (John Chodacki, Becki Maisch, and Madeleine Newell) using a set of Frame-to-XML conversion and cleanup tools written and maintained by Erik Ray, Benn Salter, John Chodacki, and Jeff Liggett I l@ve RuBoard ... Dakota and Annie, for kisses and companionship, and wonderful Walter B., for popping his head into the office and checking on Dad now and again The of DNShis and BIND covers the 9.1.0 andfor... perspective and discusses the problems that motivated the development of • Reader DNS, and then Errata presents an overview of DNS theory • DNS BIND, 4ththeory Edition Chapterand 2, goes over DNS in... Records Section 16.7 DNS and WINS Section 16.8 DNS and Windows 2000 I l@ve RuBoard Appendix A DNS Message Format and Resource Records Section A.1 Master File Format Section A.2 DNS Messages Section