svn commit: r51739 - head/en_US.ISO8859-1/books/handbook/network-servers
Eitan Adler
eadler at FreeBSD.org
Mon May 28 23:38:42 UTC 2018
Author: eadler
Date: Mon May 28 23:38:40 2018
New Revision: 51739
URL: https://svnweb.freebsd.org/changeset/doc/51739
Log:
handbook: remove information about BIND for FreeBSD 9 and older
There is no supported version of FreeBSD that still includes BIND in
case.
Modified:
head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Mon May 28 23:24:41 2018 (r51738)
+++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Mon May 28 23:38:40 2018 (r51739)
@@ -2972,22 +2972,6 @@ dhcpd_ifaces="dc0"</programlisting>
necessary to run a name server to perform
<acronym>DNS</acronym> lookups on a system.</para>
- <indexterm><primary>BIND</primary></indexterm>
-
- <para>In &os; 10, the Berkeley Internet Name Domain
- (<acronym>BIND</acronym>) has been removed from the base system
- and replaced with Unbound. Unbound as configured in the &os;
- Base is a local caching resolver. <acronym>BIND</acronym> is
- still available from The Ports Collection as <package
- role="port">dns/bind99</package> or <package
- role="port">dns/bind98</package>. In &os; 9 and lower,
- <acronym>BIND</acronym> is included in &os; Base. The &os;
- version provides enhanced security features, a new file system
- layout, and automated &man.chroot.8; configuration.
- <acronym>BIND</acronym> is maintained by the <link
- xlink:href="https://www.isc.org/">Internet Systems
- Consortium</link>.</para>
-
<indexterm><primary>resolver</primary></indexterm>
<indexterm><primary>reverse
<acronym>DNS</acronym></primary></indexterm>
@@ -3024,12 +3008,6 @@ dhcpd_ifaces="dc0"</programlisting>
</row>
<row>
- <entry><application>named</application>, BIND</entry>
- <entry>Common names for the BIND name server package
- within &os;.</entry>
- </row>
-
- <row>
<entry>Resolver</entry>
<entry>A system process through which a machine queries
a name server for zone information.</entry>
@@ -3158,15 +3136,8 @@ dhcpd_ifaces="dc0"</programlisting>
</sect2>
<sect2>
- <title><acronym>DNS</acronym> Server Configuration in &os; 10.0
- and Later</title>
+ <title><acronym>DNS</acronym> Server Configuration</title>
- <para>In &os; 10.0, <application>BIND</application> has been
- replaced with <application>Unbound</application>.
- <application>Unbound</application> is a validating caching
- resolver only. If an authoritative server is needed, many are
- available from the Ports Collection.</para>
-
<para><application>Unbound</application> is provided in the &os;
base system. By default, it will provide
<acronym>DNS</acronym> resolution to the local machine only.
@@ -3229,1232 +3200,6 @@ freebsd.org. (A)
|---. (DNSKEY keytag: 40926 alg: 8 flags: 256)
|---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
;; Chase successful</screen>
- </sect2>
-
- <sect2>
- <title>DNS Server Configuration in &os;
- 9.<replaceable>X</replaceable></title>
-
- <important>
- <para>This chapter is only applicable to &os; 9 and before.
- <application>BIND9</application> is no longer part of the
- base system in &os; 10 and after, where it has been replaced
- with <application>unbound</application>.</para>
- </important>
-
- <para>In &os;, the BIND daemon is called
- <application>named</application>.</para>
-
- <informaltable frame="none" pgwide="1">
- <tgroup cols="2">
- <thead>
- <row>
- <entry>File</entry>
- <entry>Description</entry>
- </row>
- </thead>
-
- <tbody>
- <row>
- <entry>&man.named.8;</entry>
- <entry>The BIND daemon.</entry>
- </row>
-
- <row>
- <entry>&man.rndc.8;</entry>
- <entry>Name server control utility.</entry>
- </row>
-
- <row>
- <entry><filename>/etc/namedb</filename></entry>
- <entry>Directory where BIND zone information
- resides.</entry>
- </row>
-
- <row>
- <entry><filename>/etc/namedb/named.conf</filename></entry>
- <entry>Configuration file of the daemon.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Depending on how a given zone is configured on the server,
- the files related to that zone can be found in the
- <filename>master</filename>,
- <filename>slave</filename>, or
- <filename>dynamic</filename> subdirectories
- of the <filename>/etc/namedb</filename>
- directory. These files contain the <acronym>DNS</acronym>
- information that will be given out by the name server in
- response to queries.</para>
-
- <sect3>
- <title>Starting BIND</title>
-
- <indexterm>
- <primary>BIND</primary>
- <secondary>starting</secondary>
- </indexterm>
-
- <para>Since BIND is installed by default, configuring it is
- relatively simple.</para>
-
- <para>The default <application>named</application>
- configuration is that of a basic resolving name server,
- running in a &man.chroot.8; environment, and restricted to
- listening on the local IPv4 loopback address (127.0.0.1).
- To start the server one time with this configuration, use
- the following command:</para>
-
- <screen>&prompt.root; <userinput>service named onestart</userinput></screen>
-
- <para>To ensure the <application>named</application> daemon is
- started at boot each time, put the following line into the
- <filename>/etc/rc.conf</filename>:</para>
-
- <programlisting>named_enable="YES"</programlisting>
-
- <para>There are many configuration options for
- <filename>/etc/namedb/named.conf</filename> that are beyond
- the scope of this document. Other startup options for
- <application>named</application> on &os; can be found in the
- <literal>named_<replaceable>*</replaceable></literal> flags
- in <filename>/etc/defaults/rc.conf</filename> and in
- &man.rc.conf.5;. The <xref linkend="configtuning-rcd"/>
- section is also a good read.</para>
- </sect3>
-
- <sect3>
- <title>Configuration Files</title>
-
- <indexterm>
- <primary>BIND</primary>
- <secondary>configuration files</secondary>
- </indexterm>
-
- <para>Configuration files for <application>named</application>
- currently reside in <filename>/etc/namedb</filename>
- directory and will need modification before use unless all
- that is needed is a simple resolver. This is where most of
- the configuration will be performed.</para>
-
- <sect4>
- <title><filename>/etc/namedb/named.conf</filename></title>
-
- <programlisting>// <phrase its:translate="no">$FreeBSD$</phrase>
-//
-// Refer to the named.conf(5) and named(8) man pages, and the documentation
-// in /usr/share/doc/bind9 for more details.
-//
-// If you are going to set up an authoritative server, make sure you
-// understand the hairy details of how DNS works. Even with
-// simple mistakes, you can break connectivity for affected parties,
-// or cause huge amounts of useless Internet traffic.
-
-options {
- // All file and path names are relative to the chroot directory,
- // if any, and should be fully qualified.
- directory "/etc/namedb/working";
- pid-file "/var/run/named/pid";
- dump-file "/var/dump/named_dump.db";
- statistics-file "/var/stats/named.stats";
-
-// If named is being used only as a local resolver, this is a safe default.
-// For named to be accessible to the network, comment this option, specify
-// the proper IP address, or delete this option.
- listen-on { 127.0.0.1; };
-
-// If you have IPv6 enabled on this system, uncomment this option for
-// use as a local resolver. To give access to the network, specify
-// an IPv6 address, or the keyword "any".
-// listen-on-v6 { ::1; };
-
-// These zones are already covered by the empty zones listed below.
-// If you remove the related empty zones below, comment these lines out.
- disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
- disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
- disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
-
-// If you have a DNS server around at your upstream provider, enter
-// its IP address here, and enable the line below. This will make you
-// benefit from its cache, thus reduce overall DNS traffic in the Internet.
-/*
- forwarders {
- 127.0.0.1;
- };
-*/
-
-// If the 'forwarders' clause is not empty the default is to 'forward first'
-// which will fall back to sending a query from your local server if the name
-// servers in 'forwarders' do not have the answer. Alternatively you can
-// force your name server to never initiate queries of its own by enabling the
-// following line:
-// forward only;
-
-// If you wish to have forwarding configured automatically based on
-// the entries in /etc/resolv.conf, uncomment the following line and
-// set named_auto_forward=yes in /etc/rc.conf. You can also enable
-// named_auto_forward_only (the effect of which is described above).
-// include "/etc/namedb/auto_forward.conf";</programlisting>
-
- <para>Just as the comment says, to benefit from an uplink's
- cache, <literal>forwarders</literal> can be enabled here.
- Under normal circumstances, a name server will recursively
- query the Internet looking at certain name servers until
- it finds the answer it is looking for. Having this
- enabled will have it query the uplink's name server (or
- name server provided) first, taking advantage of its
- cache. If the uplink name server in question is a heavily
- trafficked, fast name server, enabling this may be
- worthwhile.</para>
-
- <warning>
- <para><systemitem class="ipaddress">127.0.0.1</systemitem>
- will <emphasis>not</emphasis> work here. Change this
- <acronym>IP</acronym> address to a name server at the
- uplink.</para>
- </warning>
-
- <programlisting> /*
- Modern versions of BIND use a random <acronym>UDP</acronym> port for each outgoing
- query by default in order to dramatically reduce the possibility
- of cache poisoning. All users are strongly encouraged to utilize
- this feature, and to configure their firewalls to accommodate it.
-
- AS A LAST RESORT in order to get around a restrictive firewall
- policy you can try enabling the option below. Use of this option
- will significantly reduce your ability to withstand cache poisoning
- attacks, and should be avoided if at all possible.
-
- Replace NNNNN in the example with a number between 49160 and 65530.
- */
- // query-source address * port NNNNN;
-};
-
-// If you enable a local name server, do not forget to enter 127.0.0.1
-// first in your /etc/resolv.conf so this server will be queried.
-// Also, make sure to enable it in /etc/rc.conf.
-
-// The traditional root hints mechanism. Use this, OR the slave zones below.
-zone "." { type hint; file "/etc/namedb/named.root"; };
-
-/* Slaving the following zones from the root name servers has some
- significant advantages:
- 1. Faster local resolution for your users
- 2. No spurious traffic will be sent from your network to the roots
- 3. Greater resilience to any potential root server failure/DDoS
-
- On the other hand, this method requires more monitoring than the
- hints file to be sure that an unexpected failure mode has not
- incapacitated your server. Name servers that are serving a lot
- of clients will benefit more from this approach than individual
- hosts. Use with caution.
-
- To use this mechanism, uncomment the entries below, and comment
- the hint zone above.
-
- As documented at http://dns.icann.org/services/axfr/ these zones:
- "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET
- are available for AXFR from these servers on IPv4 and IPv6:
- xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
-*/
-/*
-zone "." {
- type slave;
- file "/etc/namedb/slave/root.slave";
- masters {
- 192.5.5.241; // F.ROOT-SERVERS.NET.
- };
- notify no;
-};
-zone "arpa" {
- type slave;
- file "/etc/namedb/slave/arpa.slave";
- masters {
- 192.5.5.241; // F.ROOT-SERVERS.NET.
- };
- notify no;
-};
-*/
-
-/* Serving the following zones locally will prevent any queries
- for these zones leaving your network and going to the root
- name servers. This has two significant advantages:
- 1. Faster local resolution for your users
- 2. No spurious traffic will be sent from your network to the roots
-*/
-// RFCs 1912 and 5735 (and BCP 32 for localhost)
-zone "localhost" { type master; file "/etc/namedb/master/localhost-forward.db"; };
-zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; };
-zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// RFC 1912-style zone for IPv6 localhost address
-zone "0.ip6.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; };
-
-// "This" Network (RFCs 1912 and 5735)
-zone "0.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// Private Use Networks (RFCs 1918 and 5735)
-zone "10.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// Link-local/APIPA (RFCs 3927 and 5735)
-zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// IETF protocol assignments (RFCs 5735 and 5736)
-zone "0.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// TEST-NET-[1-3] for Documentation (RFCs 5735 and 5737)
-zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// IPv6 Range for Documentation (RFC 3849)
-zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// Domain Names for Documentation and Testing (BCP 32)
-zone "test" { type master; file "/etc/namedb/master/empty.db"; };
-zone "example" { type master; file "/etc/namedb/master/empty.db"; };
-zone "invalid" { type master; file "/etc/namedb/master/empty.db"; };
-zone "example.com" { type master; file "/etc/namedb/master/empty.db"; };
-zone "example.net" { type master; file "/etc/namedb/master/empty.db"; };
-zone "example.org" { type master; file "/etc/namedb/master/empty.db"; };
-
-// Router Benchmark Testing (RFCs 2544 and 5735)
-zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// IANA Reserved - Old Class E Space (RFC 5735)
-zone "240.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "241.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "242.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "243.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "244.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "245.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "246.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "247.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "248.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "249.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "250.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "251.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "252.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "253.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "254.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// IPv6 Unassigned Addresses (RFC 4291)
-zone "1.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "3.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "4.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "5.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "6.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "7.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "8.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "9.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "a.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "b.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "c.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "d.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "e.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "0.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "1.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "2.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "3.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "4.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "5.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "6.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "7.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "8.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "9.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "a.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "b.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "0.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "1.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "2.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "3.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "4.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "5.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "6.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "7.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// IPv6 ULA (RFC 4193)
-zone "c.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "d.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// IPv6 Link Local (RFC 4291)
-zone "8.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "9.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "a.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "b.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// IPv6 Deprecated Site-Local Addresses (RFC 3879)
-zone "c.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "d.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "e.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-zone "f.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
-
-// IP6.INT is Deprecated (RFC 4159)
-zone "ip6.int" { type master; file "/etc/namedb/master/empty.db"; };
-
-// NB: Do not use the IP addresses below, they are faked, and only
-// serve demonstration/documentation purposes!
-//
-// Example slave zone config entries. It can be convenient to become
-// a slave at least for the zone your own domain is in. Ask
-// your network administrator for the IP address of the responsible
-// master name server.
-//
-// Do not forget to include the reverse lookup zone!
-// This is named after the first bytes of the IP address, in reverse
-// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
-//
-// Before starting to set up a master zone, make sure you fully
-// understand how DNS and BIND work. There are sometimes
-// non-obvious pitfalls. Setting up a slave zone is usually simpler.
-//
-// NB: Do not blindly enable the examples below. :-) Use actual names
-// and addresses instead.
-
-/* An example dynamic zone
-key "exampleorgkey" {
- algorithm hmac-md5;
- secret "sf87HJqjkqh8ac87a02lla==";
-};
-zone "example.org" {
- type master;
- allow-update {
- key "exampleorgkey";
- };
- file "/etc/namedb/dynamic/example.org";
-};
-*/
-
-/* Example of a slave reverse zone
-zone "1.168.192.in-addr.arpa" {
- type slave;
- file "/etc/namedb/slave/1.168.192.in-addr.arpa";
- masters {
- 192.168.1.1;
- };
-};
-*/</programlisting>
-
- <para>In <filename>named.conf</filename>, these are examples
- of slave entries for a forward and reverse zone.</para>
-
- <para>For each new zone served, a new zone entry must be
- added to <filename>named.conf</filename>.</para>
-
- <para>For example, the simplest zone entry for
- <systemitem class="fqdomainname">example.org</systemitem>
- can look like:</para>
-
- <programlisting>zone "example.org" {
- type master;
- file "master/example.org";
-};</programlisting>
-
- <para>The zone is a master, as indicated by the
- <option>type</option> statement, holding its zone
- information in
- <filename>/etc/namedb/master/example.org</filename>
- indicated by the <option>file</option> statement.</para>
-
- <programlisting>zone "example.org" {
- type slave;
- file "slave/example.org";
-};</programlisting>
-
- <para>In the slave case, the zone information is transferred
- from the master name server for the particular zone, and
- saved in the file specified. If and when the master
- server dies or is unreachable, the slave name server will
- have the transferred zone information and will be able to
- serve it.</para>
- </sect4>
-
- <sect4>
- <title>Zone Files</title>
-
- <indexterm>
- <primary>BIND</primary>
- <secondary>zone files</secondary>
- </indexterm>
-
- <para>An example master zone file for
- <systemitem class="fqdomainname">example.org</systemitem>
- (existing within
- <filename>/etc/namedb/master/example.org</filename>) is as
- follows:</para>
-
- <programlisting>$TTL 3600 ; 1 hour default TTL
-example.org. IN SOA ns1.example.org. admin.example.org. (
- 2006051501 ; Serial
- 10800 ; Refresh
- 3600 ; Retry
- 604800 ; Expire
- 300 ; Negative Response TTL
- )
-
-; DNS Servers
- IN NS ns1.example.org.
- IN NS ns2.example.org.
-
-; MX Records
- IN MX 10 mx.example.org.
- IN MX 20 mail.example.org.
-
- IN A 192.168.1.1
-
-; Machine Names
-localhost IN A 127.0.0.1
-ns1 IN A 192.168.1.2
-ns2 IN A 192.168.1.3
-mx IN A 192.168.1.4
-mail IN A 192.168.1.5
-
-; Aliases
-www IN CNAME example.org.</programlisting>
-
- <para>Note that every hostname ending in a <quote>.</quote>
- is an exact hostname, whereas everything without a
- trailing <quote>.</quote> is relative to the origin. For
- example, <literal>ns1</literal> is translated into
- <literal>ns1.<replaceable>example.org.</replaceable></literal></para>
-
- <para>The format of a zone file follows:</para>
-
- <programlisting>recordname IN recordtype value</programlisting>
-
- <indexterm>
- <primary><acronym>DNS</acronym></primary>
- <secondary>records</secondary>
- </indexterm>
-
- <para>The most commonly used <acronym>DNS</acronym>
- records:</para>
-
- <variablelist>
- <varlistentry>
- <term>SOA</term>
-
- <listitem>
- <para>start of zone authority</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>NS</term>
-
- <listitem>
- <para>an authoritative name server</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>A</term>
-
- <listitem>
- <para>a host address</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>CNAME</term>
-
- <listitem>
- <para>the canonical name for an alias</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>MX</term>
-
- <listitem>
- <para>mail exchanger</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PTR</term>
-
- <listitem>
- <para>a domain name pointer (used in reverse
- <acronym>DNS</acronym>)</para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- <programlisting>example.org. IN SOA ns1.example.org. admin.example.org. (
- 2006051501 ; Serial
- 10800 ; Refresh after 3 hours
- 3600 ; Retry after 1 hour
- 604800 ; Expire after 1 week
- 300 ) ; Negative Response TTL</programlisting>
-
- <variablelist>
- <varlistentry>
- <term><systemitem
- class="fqdomainname">example.org.</systemitem></term>
-
- <listitem>
- <para>the domain name, also the origin for this
- zone file.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><systemitem
- class="fqdomainname">ns1.example.org.</systemitem></term>
-
- <listitem>
- <para>the primary/authoritative name server for this
- zone.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><literal>admin.example.org.</literal></term>
-
- <listitem>
- <para>the responsible person for this zone,
- email address with <quote>@</quote>
- replaced. (<email>admin at example.org</email> becomes
- <literal>admin.example.org</literal>)</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><literal>2006051501</literal></term>
-
- <listitem>
- <para>the serial number of the file. This must be
- incremented each time the zone file is modified.
- Nowadays, many admins prefer a
- <literal>yyyymmddrr</literal> format for the serial
- number. <literal>2006051501</literal> would mean
- last modified 05/15/2006, the latter
- <literal>01</literal> being the first time the zone
- file has been modified this day. The serial number
- is important as it alerts slave name servers for a
- zone when it is updated.</para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- <programlisting> IN NS ns1.example.org.</programlisting>
-
- <para>This is an NS entry. Every name server that is going
- to reply authoritatively for the zone must have one of
- these entries.</para>
-
- <programlisting>localhost IN A 127.0.0.1
-ns1 IN A 192.168.1.2
-ns2 IN A 192.168.1.3
-mx IN A 192.168.1.4
-mail IN A 192.168.1.5</programlisting>
-
- <para>The A record indicates machine names. As seen above,
- <systemitem
- class="fqdomainname">ns1.example.org</systemitem> would
- resolve to <systemitem
- class="ipaddress">192.168.1.2</systemitem>.</para>
-
- <programlisting> IN A 192.168.1.1</programlisting>
-
- <para>This line assigns <acronym>IP</acronym> address
- <systemitem class="ipaddress">192.168.1.1</systemitem> to
- the current origin, in this case <systemitem
- class="fqdomainname">example.org</systemitem>.</para>
-
- <programlisting>www IN CNAME @</programlisting>
-
- <para>The canonical name record is usually used for giving
- aliases to a machine. In the example,
- <systemitem>www</systemitem> is aliased to the
- <quote>master</quote> machine whose name happens to be the
- same as the domain name
- <systemitem class="fqdomainname">example.org</systemitem>
- (<systemitem class="ipaddress">192.168.1.1</systemitem>).
- CNAMEs can never be used together with another kind of
- record for the same hostname.</para>
-
- <indexterm>
- <primary>MX record</primary>
- </indexterm>
-
- <programlisting> IN MX 10 mail.example.org.</programlisting>
-
- <para>The MX record indicates which mail servers are
- responsible for handling incoming mail for the zone.
- <systemitem
- class="fqdomainname">mail.example.org</systemitem> is
- the hostname of a mail server, and 10 is the priority of
- that mail server.</para>
-
- <para>One can have several mail servers, with priorities of
- 10, 20 and so on. A mail server attempting to deliver to
- <systemitem class="fqdomainname">example.org</systemitem>
- would first try the highest priority MX (the record with
- the lowest priority number), then the second highest, etc,
- until the mail can be properly delivered.</para>
-
- <para>For in-addr.arpa zone files (reverse
- <acronym>DNS</acronym>), the same format is used, except
- with PTR entries instead of A or CNAME.</para>
-
- <programlisting>$TTL 3600
-
-1.168.192.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. (
- 2006051501 ; Serial
- 10800 ; Refresh
- 3600 ; Retry
- 604800 ; Expire
- 300 ) ; Negative Response TTL
-
- IN NS ns1.example.org.
- IN NS ns2.example.org.
-
-1 IN PTR example.org.
-2 IN PTR ns1.example.org.
-3 IN PTR ns2.example.org.
-4 IN PTR mx.example.org.
-5 IN PTR mail.example.org.</programlisting>
-
- <para>This file gives the proper <acronym>IP</acronym>
- address to hostname mappings for the above fictitious
- domain.</para>
-
- <para>It is worth noting that all names on the right side
- of a PTR record need to be fully qualified (i.e., end in
- a <quote>.</quote>).</para>
- </sect4>
- </sect3>
-
- <sect3>
- <title>Caching Name Server</title>
-
- <indexterm>
- <primary>BIND</primary>
- <secondary>caching name server</secondary>
- </indexterm>
-
- <para>A caching name server is a name server whose primary
- role is to resolve recursive queries. It simply asks
- queries of its own, and remembers the answers for later
- use.</para>
- </sect3>
-
- <sect3>
- <title><acronym role="Domain Name Security
- Extensions">DNSSEC</acronym></title>
-
- <indexterm>
- <primary>BIND</primary>
- <secondary><acronym>DNS</acronym> security
- extensions</secondary>
- </indexterm>
-
- <para>Domain Name System Security Extensions, or <acronym
- role="Domain Name Security Extensions">DNSSEC</acronym>
- for short, is a suite of specifications to protect resolving
- name servers from forged <acronym>DNS</acronym> data, such
- as spoofed <acronym>DNS</acronym> records. By using digital
- signatures, a resolver can verify the integrity of the
- record. Note that <acronym role="Domain Name Security
- Extensions">DNSSEC</acronym> only provides integrity via
- digitally signing the Resource Records (<acronym
- role="Resource Record">RR</acronym>s). It provides
- neither confidentiality nor protection against false
- end-user assumptions. This means that it cannot protect
- against people going to
- <systemitem class="fqdomainname">example.net</systemitem>
- instead of
- <systemitem class="fqdomainname">example.com</systemitem>.
- The only thing <acronym>DNSSEC</acronym> does is
- authenticate that the data has not been compromised in
- transit. The security of <acronym>DNS</acronym> is an
- important step in securing the Internet in general. For
- more in-depth details of how <acronym>DNSSEC</acronym>
- works, the relevant <acronym>RFC</acronym>s are a good place
- to start. See the list in
- <xref linkend="dns-read"/>.</para>
-
- <para>The following sections will demonstrate how to enable
- <acronym>DNSSEC</acronym> for an authoritative
- <acronym>DNS</acronym> server and a recursive (or caching)
- <acronym>DNS</acronym> server running
- <acronym>BIND</acronym> 9. While all versions of
- <acronym>BIND</acronym> 9 support <acronym>DNSSEC</acronym>,
- it is necessary to have at least version 9.6.2 in order to
- be able to use the signed root zone when validating
- <acronym>DNS</acronym> queries. This is because earlier
- versions lack the required algorithms to enable validation
- using the root zone key. It is strongly recommended to use
- the latest version of <acronym>BIND</acronym> 9.7 or later
- to take advantage of automatic key updating for the root
- key, as well as other features to automatically keep zones
- signed and signatures up to date. Where configurations
- differ between 9.6.2 and 9.7 and later, differences will be
- pointed out.</para>
-
- <sect4>
- <title>Recursive <acronym>DNS</acronym> Server
- Configuration</title>
-
- <para>Enabling <acronym>DNSSEC</acronym> validation of
- queries performed by a recursive <acronym>DNS</acronym>
- server requires a few changes to
- <filename>named.conf</filename>. Before making these
- changes the root zone key, or trust anchor, must be
- acquired. Currently the root zone key is not available in
- a file format <acronym>BIND</acronym> understands, so it
- has to be manually converted into the proper format. The
- key itself can be obtained by querying the root zone for
- it using <application>dig</application>. By
- running</para>
-
- <screen>&prompt.user; <userinput>dig +multi +noall +answer DNSKEY . > root.dnskey</userinput></screen>
-
- <para>the key will end up in
- <filename>root.dnskey</filename>. The contents should
- look something like this:</para>
-
- <programlisting>. 93910 IN DNSKEY 257 3 8 (
- AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
- bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
- /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
- JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
- oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
- LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
- Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
- LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
- ) ; key id = 19036
-. 93910 IN DNSKEY 256 3 8 (
- AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf
- UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE
- g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V
- EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt
-) ; key id = 34525</programlisting>
-
- <para>Do not be alarmed if the obtained keys differ from
- this example. They might have changed since these
- instructions were last updated. This output actually
- contains two keys. The first key in the listing, with the
- value 257 after the DNSKEY record type, is the one needed.
- This value indicates that this is a Secure Entry Point
- (<acronym role="Secure Entry Point">SEP</acronym>),
- commonly known as a Key Signing Key
- (<acronym role="Key Signing Key">KSK</acronym>). The
- second key, with value 256, is a subordinate key, commonly
- called a Zone Signing Key
- (<acronym role="Zone Signing Key">ZSK</acronym>). More on
- the different key types later in
- <xref linkend="dns-dnssec-auth"/>.</para>
-
- <para>Now the key must be verified and formatted so that
- <acronym>BIND</acronym> can use it. To verify the key,
- generate a <acronym role="Delegation Signer">DS</acronym>
- <acronym role="Resource Record">RR</acronym> set. Create
- a file containing these
- <acronym role="Resource Record">RR</acronym>s with</para>
-
- <screen>&prompt.user; <userinput>dnssec-dsfromkey -f root.dnskey . > root.ds</userinput></screen>
-
- <para>These records use SHA-1 and SHA-256 respectively, and
- should look similar to the following example, where the
- longer is using SHA-256.</para>
-
- <programlisting>. IN DS 19036 8 1
- B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E
-. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</programlisting>
-
- <para>The SHA-256 <acronym>RR</acronym> can now be compared
- to the digest in <link
- xlink:href="https://data.iana.org/root-anchors/root-anchors.xml">https://data.iana.org/root-anchors/root-anchors.xml</link>.
- To be absolutely sure that the key has not been tampered
- with the data in the <acronym>XML</acronym> file should be
- verified using a proper <acronym>PGP</acronym> signature.</para>
-
-
- <para>Next, the key must be formatted properly. This
- differs a little between <acronym>BIND</acronym> versions
- 9.6.2 and 9.7 and later. In version 9.7 support was added
- to automatically track changes to the key and update it as
- necessary. This is done using
- <literal>managed-keys</literal> as seen in the example
- below. When using the older version, the key is added
- using a <literal>trusted-keys</literal> statement and
- updates must be done manually. For
- <acronym>BIND</acronym> 9.6.2 the format should look
- like:</para>
-
- <programlisting>trusted-keys {
- "." 257 3 8
- "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
- FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
- bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
- X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
- W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
- Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
- QxA+Uk1ihz0=";
-};</programlisting>
-
- <para>For 9.7 the format will instead be:</para>
-
- <programlisting>managed-keys {
- "." initial-key 257 3 8
- "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
- FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
- bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
- X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
- W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
- Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
- QxA+Uk1ihz0=";
-};</programlisting>
-
- <para>The root key can now be added to
- <filename>named.conf</filename> either directly or by
- including a file containing the key. After these steps,
- configure <acronym>BIND</acronym> to do
- <acronym>DNSSEC</acronym> validation on queries by editing
- <filename>named.conf</filename> and adding the following
- to the <literal>options</literal> directive:</para>
-
- <programlisting>dnssec-enable yes;
-dnssec-validation yes;</programlisting>
-
- <para>To verify that it is actually working use
- <application>dig</application> to make a query for a
- signed zone using the resolver just configured. A
- successful reply will contain the <literal>AD</literal>
- flag to indicate the data was authenticated. Running a
- query such as</para>
-
- <screen>&prompt.user; <userinput>dig @<replaceable>resolver</replaceable> +dnssec se ds </userinput></screen>
-
- <para>should return the <acronym>DS</acronym>
- <acronym>RR</acronym> for the <literal>.se</literal> zone.
- In the <literal>flags:</literal> section the
- <literal>AD</literal> flag should be set, as seen
- in:</para>
-
- <programlisting>...
-;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
-...</programlisting>
-
- <para>The resolver is now capable of authenticating
- <acronym>DNS</acronym> queries.</para>
- </sect4>
-
- <sect4 xml:id="dns-dnssec-auth">
- <title>Authoritative <acronym>DNS</acronym> Server
- Configuration</title>
-
- <para>In order to get an authoritative name server to serve
- a <acronym>DNSSEC</acronym> signed zone a little more work
- is required. A zone is signed using cryptographic keys
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-all
mailing list