DNS and BIND, 5th Edition By Paul Albitz, Cricket Liu Publisher: O'Reilly Pub Date: May 2006 Print ISBN-10: 0-596-10057-4 Print ISBN-13: 978-0-59-610057-5 Pages: 640 Table of Contents | Index DNS and BIND tells you everything you need to work with one of the Internet's fundamental building blocks: the distributed host information database that's responsible for translating names into addresses, routing mail to its proper destination, and even listing phone numbers with the new ENUM standard This book brings you up-to-date with the latest changes in this crucial service The fifth edition covers BIND 9.3.2, the most recent release of the BIND 9 series, as well as BIND 8.4.7 BIND 9.3.2 contains further improvements in security and IPv6 support, and important new features such as internationalized domain names, ENUM (electronic numbering), and SPF (the Sender Policy Framework) Whether you're an administrator involved with DNS on a daily basis or a user who wants to be more informed about the Internet and how it works, you'll find that this book is essential reading Topics include: What DNS does, how it works, and when you need to use it How to find your own place in the Internet's namespace Setting up name servers Using MX records to route mail Configuring hosts to use DNS name servers Subdividing domains (parenting) Securing your name server: restricting who can query your server, preventing unauthorized zone transfers, avoiding bogus servers, etc The DNS Security Extensions (DNSSEC) and Transaction Signatures (TSIG) Mapping one name to several servers for load sharing Dynamic updates, asynchronous notification of change to a zone, and incremental zone transfers Troubleshooting: using nslookup and dig, reading debugging output, common problems DNS programming using the resolver library and Perl's Net::DNS module DNS and BIND, 5th Edition By Paul Albitz, Cricket Liu Publisher: O'Reilly Pub Date: May 2006 Print ISBN-10: 0-596-10057-4 Print ISBN-13: 978-0-59-610057-5 Pages: 640 Table of Contents | Index Copyright Preface Chapter 1 Background Section 1.1 A (Very) Brief History of the Internet Section 1.2 On the Internet and Internets Section 1.3 The Domain Name System, in a Nutshell Section 1.4 The History of BIND Section 1.5 Must I Use DNS? Chapter 2 How Does DNS Work? Section 2.1 The Domain Namespace Section 2.2 The Internet Domain Namespace Section 2.3 Delegation Section 2.4 Nameservers and Zones Section 2.5 Resolvers Section 2.6 Resolution Section 2.7 Caching Chapter 3 Where Do I Start? Section 3.1 Getting BIND Section 3.2 Choosing a Domain Name Chapter 4 Setting Up BIND Section 4.1 Our Zone Section 4.2 Setting Up Zone Data Section 4.3 Setting Up a BIND Configuration File Section 4.4 Abbreviations Section 4.5 Hostname Checking Section 4.6 Tools Section 4.7 Running a Primary Nameserver Section 4.8 Running a Slave Nameserver Section 4.9 Adding More Zones Section 4.10 What's Next? Chapter 5 DNS and Electronic Mail Section 5.1 MX Records Section 5.2 Movie.edu's Mail Server Section 5.3 What's a Mail Exchanger, Again? Section 5.4 The MX Algorithm Section 5.5 DNS and Email Authentication Chapter 6 Configuring Hosts Section 6.1 The Resolver Section 6.2 Resolver Configuration Section 6.3 Sample Resolver Configurations Section 6.4 Minimizing Pain and Suffering Section 6.5 Additional Configuration Files Section 6.6 The Windows XP Resolver Chapter 7 Maintaining BIND Section 7.1 Controlling the Nameserver Section 7.2 Updating Zone Datafiles Section 7.3 Organizing Your Files Section 7.4 Changing System File Locations Section 7.5 Logging Section 7.6 Keeping Everything Running Smoothly Chapter 8 Growing Your Domain Section 8.1 How Many Nameservers? Section 8.2 Adding More Nameservers Section 8.3 Registering Nameservers Section 8.4 Changing TTLs Section 8.5 Planning for Disasters Section 8.6 Coping with Disaster Chapter 9 Parenting Section 9.1 When to Become a Parent Section 9.2 How Many Children? Section 9.3 What to Name Your Children Section 9.4 How to Become a Parent: Creating Subdomains Section 9.5 Subdomains of in-addr.arpa Domains Section 9.6 Good Parenting Section 9.7 Managing the Transition to Subdomains Section 9.8 The Life of a Parent Chapter 10 Advanced Features Section 10.1 Address Match Lists and ACLs Section 10.2 DNS Dynamic Update Section 10.3 DNS NOTIFY (Zone Change Notification) Section 10.4 Incremental Zone Transfer (IXFR) Section 10.5 Forwarding Section 10.6 Views Section 10.7 Round-Robin Load Distribution Section 10.8 Nameserver Address Sorting Section 10.9 Preferring Nameservers on Certain Networks Section 10.10 A Nonrecursive Nameserver Section 10.11 Avoiding a Bogus Nameserver Section 10.12 System Tuning Section 10.13 Compatibility Section 10.14 The ABCs of IPv6 Addressing Section 10.15 Addresses and Ports Chapter 11 Security Section 11.1 TSIG Section 11.2 Securing Your Nameserver Section 11.3 DNS and Internet Firewalls Section 11.4 The DNS Security Extensions Chapter 12 nslookup and dig Section 12.1 Is nslookup a Good Tool? Section 12.2 Interactive Versus Noninteractive Section 12.3 Option Settings Section 12.4 Avoiding the Search List Section 12.5 Common Tasks Section 12.6 Less Common Tasks Section 12.7 Troubleshooting nslookup Problems Section 12.8 Best of the Net Section 12.9 Using dig Chapter 13 Reading BIND Debugging Output Section 13.1 Debugging Levels Section 13.2 Turning On Debugging Section 13.3 Reading Debugging Output Section 13.4 The Resolver Search Algorithm and Negative Caching (BIND 8) Section 13.5 The Resolver Search Algorithm and Negative Caching (BIND 9) Section 13.6 Tools Chapter 14 Troubleshooting DNS and BIND Section 14.1 Is NIS Really Your Problem? Section 14.2 Troubleshooting Tools and Techniques Section 14.3 Potential Problem List Section 14.4 Transition Problems Section 14.5 Interoperability and Version Problems Section 14.6 TSIG Errors Section 14.7 Problem Symptoms Chapter 15 Programming with the Resolver and Nameserver Library Routines Section 15.1 Shell Script Programming with nslookup Section 15.2 C Programming with the Resolver Library Routines Section 15.3 Perl Programming with Net::DNS Chapter 16 Architecture External, Authoritative DNS Infrastructure Forwarder Infrastructure Internal DNS Infrastructure Operations Keeping Up with DNS and BIND Chapter 17 Miscellaneous Section 17.1 Using CNAME Records Section 17.2 Wildcards Section 17.3 A Limitation of MX Records Section 17.4 Dial-up Connections Section 17.5 Network Names and Numbers Section 17.6 Additional Resource Records Section 17.7 ENUM Section 17.8 Internationalized Domain Names Section 17.9 DNS and WINS Section 17.10 DNS, Windows, and Active Directory DNS Message Format and Resource Records Section A.1 Master File Format Section A.2 DNS Messages Section A.3 Resource Record Data BIND Compatibility Matrix Compiling and Installing BIND on Linux Section C.1 Instructions for BIND 8 Section C.2 Instructions for BIND 9 Top-Level Domains BIND Nameserver and Resolver Configuration Section E.1 BIND Nameserver Boot File Directives and Configuration File Statements Section E.2 BIND 8 Configuration File Statements Section E.3 BIND 9 Configuration File Statements Section E.4 BIND Resolver Statements Section E.5 BIND 9 Options Statement About the Authors Colophon Index DNS and BIND, Fifth Edition by Cricket Liu and Paul Albitz Copyright © 2006, 2001, 1998, 1997, 1992 O'Reilly Media, Inc All rights reserved Printed in the United States of America Published by O'Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O'Reilly books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (safari.oreilly.com) For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com Editor: Mike Loukides Production Editor: Matt Hutchinson Copyeditor: Mary Anne Weeks Mayo Proofreader: Matt Hutchinson Indexer: Ellen Troutman-Zaig Cover Designer: Edie Freedman Interior Designer: David Futato Cover Illustrator: Karen Montgomery Illustrators: Robert Romano and Jessamyn Read Printing History: October 1992: First Edition January 1997: Second Edition September 1998: Third Edition April 2001: Fourth Edition May 2006: Fifth Edition Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly Media, Inc DNS and BIND, the image of grasshoppers, and related trade dress are trademarks of O'Reilly Media, Inc Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O'Reilly Media, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein ISBN: 0-596-10057-4 [M] new generic top-level domains traditions and extent to which they are followed topology feature (BIND 8) trace command ndc program rndc program 2nd traceroute transfer format, many-answers transfer-format substatement transfer-source substatement transfer-source-v6 substatement transfers substatement transports IPv4 IPv6 travel domain tree structure, DNS database troubleshooting forgot to increment serial number forgot to reload primary nameserver incorrect subdomain delegation interoperability and version problems local domain name not set local name can't be looked up logging queries missing dot at domain name end in zone datafile missing root hints data missing subdomain delegation network connectivity loss NIS old data, unable to get rid of PTR record, forgetting to add for new host reading BIND 8 database dump reading BIND 9 database dump remote names, inability to look up response from unexpected source rlogin and rsh fail access check services, access denied slave nameserver can't load zone data slow lookups syntax error in config file or zone datafile syntax error in resolv.conf transition to recent BIND versions using named-xfer wrong or inconsistent answers zone transfer with nslookup or dig trust anchor trust levels in database dumps trusted-keys statement 2nd 3rd 4th 5th TRYAGAIN condition TSIG (transaction signatures) 2nd configuring keys time synchronization dynamic updates signed with errors GSS-TSIG limitations of one-way hash functions records signing zone transfer requests update-policy zone substatement (BIND 9) TTL (time to live) 2nd changing deciding on, performance versus consistency default, setting for zone explicit, specified on NS records minimum TTL, pre-BIND 8.2 nameservers not set original TTL on records in signed RRset raising default for zones not changing frequently records in root hints file Windows XP resolver caching TXT records associated with RP records queries on BIND 8 nameserver SPF common mechanisms used in updating in zone datafiles type covered field (RRSIG records) types field (update-policy statement) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] UDP checksums disabled datagrams DNS messages based on uk domain, organizationally oriented subdomains Unassociated entries section (database dump) UNAVAIL condition uncompressing domain names Unicode converting ACE to and from uninterruptible power system (UPS) Unix BIND software included with domain sockets 2nd end-of-line sequence networking commands, search list applied to domain name argument Unix epoch, converting to date Unix filesystem, DNS database versus unsigned zones, delegating to unspecified error (nslookup) 2nd unsponsored gTLDs update forwarding controlling which updates are forwarded TSIG-signed update-policy substatement 2nd 3rd UPS (uninterruptible power system) URIs, mapping E.165 numbers to URLs country top-level domains, web sites regional Internet registries, whois web page us top-level domain 2nd interpreting domain names (example) use-id-pool substatement Usenet newsgroups, BIND Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] value options (nslookup) verifying version.bind query versions substatement (file channel) view command (nslookup) view statement 2nd match-clients substatement match-destinations substatement match-recursive-only substatement types of substatements views full named.conf file (example) resolving and advertising nameservers support by BIND 9 using on bastion host vulnerabilities in BIND versions Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] $=w names (sendmail) warning severity web sites, top-level domains web surfing, nameserver use whois administrative and technical contacts for zones finding right whois server regional Internet registries, web page wildcard MX records wildcards WINCH signal Windows 2000 DNS white paper Windows operating systems end-of-line sequence problems with Active Directory and BIND secure dynamic update using dynamic update Windows Server 2003 Windows XP resolver advanced configuration automatic registration caching DNS suffixes negative answers, handling of retransmission algorithm subnet prioritization WINS (Windows Internet Name Service) 2nd 3rd zone transfer failure from proprietary record Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] X Windows-based user environments X0.hosts file, adding domain names to hostnames Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] ypcat, listing hosts database Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] zone ca (Canada) zone datafiles 2nd calculating IXFR from differences in versions comments and blank lines completed (example) creating for new, delegated subdomain db.movie.edu.signed (example) DNS resource records dynamic update and forgotten PTR record for new host name internal and external views missing dot at domain name end organizing changing origin including other files using several directories records belonging in another zone root zone (db.root) root, db.root file setting up A and alias records NS records PTR records shadow namespace SOA records syntax error in TTL, changing on resource records updating adding and deleting hosts generating datafiles from host table new serial number root hints RP records SOA serial numbers TXT records updating loops, slave nameservers zone statement allow-query substatement allow-transfer substatement allow-update or update-policy substatements allow-update-forwarding substatement also-notify substatement BIND 8 dialup substatement ixfr-base ixfr-from-differences substatement masters substatement 2nd port specification specifying TSIG key max-refresh-time substatement max-transfer-idle-in substatement max-transfer-idle-out substatement max-transfer-time-in substatement max-transfer-time-out substatement min-refresh-time substatement multi-master substatement normal zones with forwarders substatement notify-source substatement preventing zone transfers from slaves transfer-source substatement transfer-source-v6 substatement turning off NOTIFY update-policy substatement within view statement zone transfers 2nd access lists complex, example of failure because of proprietary WINS records following NOTIFY announcement incremental 2nd 3rd initiation by AXFR queries limiting duration of inbound limiting frequency of limiting idle time limiting requests per nameserver limiting total number requested limiting total number served simultaneously more efficient, with many-answers format nslookup polling scheme by slave nameservers to determine need for preventing unauthorized transfers slave unable to reach master server for source address for, controlling specifying TSIG key triggering with NOTIFY using dig using named-xfer using nslookup using nslookup or dig zones 2nd 3rd change notification (DNS NOTIFY) delegating hosting of domain names, ordering domains versus example (Movie University) forward zones 2nd keys, types of nameserver authority for nameservers, types of pointers to authoritative nameservers for delegated subdomains reason for existing registering setting up zone data loopback address root hints zone datafiles 2nd zone default TTL signing generating key pairs parent zone sending keys to be signed SOA record, email address of technical contact stub zones top-level, authoritative nameservers for unsigned, deletating to ZSKs (zone-signing keys) 2nd re-signing zone with new key signing zone with new key ... [*] Examples are also available online at http://examples .oreilly. com /dns5 ftp://ftp.uu.net/published /oreilly/ nutshell/dnsbind /dns. tar.Z ftp://ftp .oreilly. com/published /oreilly/ nutshell/dnsbind/ In either case, extract the files from the archive by typing:... Robert Romano and Jessamyn Read Printing History: October 1992: First Edition January 1997: Second Edition September 1998: Third Edition April 2001: Fourth Edition May 2006: Fifth Edition Nutshell Handbook, the Nutshell Handbook logo, and the... Chapter 14, Troubleshooting DNS and BIND Covers many common DNS and BIND problems and their solutions, and then describes a number of less common, harder-to-diagnose scenarios Chapter 15, Programming with the Resolver and Nameserver