BIND 9 Administrator Reference Manual

BIND Version 9.10.2b1


Table of Contents

1. Introduction
Scope of Document
Organization of This Document
Conventions Used in This Document
The Domain Name System (DNS)
DNS Fundamentals
Domains and Domain Names
Zones
Authoritative Name Servers
Caching Name Servers
Name Servers in Multiple Roles
2. BIND Resource Requirements
Hardware requirements
CPU Requirements
Memory Requirements
Name Server Intensive Environment Issues
Supported Operating Systems
3. Name Server Configuration
Sample Configurations
A Caching-only Name Server
An Authoritative-only Name Server
Load Balancing
Name Server Operations
Tools for Use With the Name Server Daemon
Signals
4. Advanced DNS Features
Notify
Dynamic Update
The journal file
Incremental Zone Transfers (IXFR)
Split DNS
Example split DNS setup
TSIG
Generate Shared Keys for Each Pair of Hosts
Copying the Shared Secret to Both Machines
Informing the Servers of the Key's Existence
Instructing the Server to Use the Key
TSIG Key Based Access Control
Errors
TKEY
SIG(0)
DNSSEC
Generating Keys
Signing the Zone
Configuring Servers
DNSSEC, Dynamic Zones, and Automatic Signing
Converting from insecure to secure
Dynamic DNS update method
Fully automatic zone signing
Private-type records
DNSKEY rollovers
Dynamic DNS update method
Automatic key rollovers
NSEC3PARAM rollovers via UPDATE
Converting from NSEC to NSEC3
Converting from NSEC3 to NSEC
Converting from secure to insecure
Periodic re-signing
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
Validating Resolver
Authoritative Server
PKCS#11 (Cryptoki) support
Prerequisites
Native PKCS#11
OpenSSL-based PKCS#11
PKCS#11 Tools
Using the HSM
Specifying the engine on the command line
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
Configuring DLZ
Sample DLZ Driver
IPv6 Support in BIND 9
Address Lookups Using AAAA Records
Address to Name Lookups Using Nibble Format
5. The BIND 9 Lightweight Resolver
The Lightweight Resolver Library
Running a Resolver Daemon
6. BIND 9 Configuration Reference
Configuration File Elements
Address Match Lists
Comment Syntax
Configuration File Grammar
acl Statement Grammar
acl Statement Definition and Usage
controls Statement Grammar
controls Statement Definition and Usage
include Statement Grammar
include Statement Definition and Usage
key Statement Grammar
key Statement Definition and Usage
logging Statement Grammar
logging Statement Definition and Usage
lwres Statement Grammar
lwres Statement Definition and Usage
masters Statement Grammar
masters Statement Definition and Usage
options Statement Grammar
options Statement Definition and Usage
server Statement Grammar
server Statement Definition and Usage
statistics-channels Statement Grammar
statistics-channels Statement Definition and Usage
trusted-keys Statement Grammar
trusted-keys Statement Definition and Usage
managed-keys Statement Grammar
managed-keys Statement Definition and Usage
view Statement Grammar
view Statement Definition and Usage
zone Statement Grammar
zone Statement Definition and Usage
Zone File
Types of Resource Records and When to Use Them
Discussion of MX Records
Setting TTLs
Inverse Mapping in IPv4
Other Zone File Directives
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
Statistics Counters
7. BIND 9 Security Considerations
Access Control Lists
Chroot and Setuid
The chroot Environment
Using the setuid Function
Dynamic Update Security
8. Troubleshooting
Common Problems
It's not working; how can I figure out what's wrong?
Incrementing and Changing the Serial Number
Where Can I Get Help?
A. Appendices
Release Notes for BIND Version 9.10.2b1
Introduction
Download
Security Fixes
New Features
Feature Changes
Bug Fixes
End of Life
Thank You
Acknowledgments
A Brief History of the DNS and BIND
General DNS Reference Information
IPv6 addresses (AAAA)
Bibliography (and Suggested Reading)
Request for Comments (RFCs)
Internet Drafts
Other Documents About BIND
BIND 9 DNS Library Support
Prerequisite
Compilation
Installation
Known Defects/Restrictions
The dns.conf File
Sample Applications
Library References
I. Manual pages
dig — DNS lookup utility
host — DNS lookup utility
delv — DNS lookup and validation utility
dnssec-checkds — A DNSSEC delegation consistency checking tool.
dnssec-coverage — checks future DNSKEY coverage for a zone
dnssec-dsfromkey — DNSSEC DS RR generation tool
dnssec-importkey — Import DNSKEY records from external systems so they can be managed.
dnssec-keyfromlabel — DNSSEC key generation tool
dnssec-keygen — DNSSEC key generation tool
dnssec-revoke — Set the REVOKED bit on a DNSSEC key
dnssec-settime — Set the key timing metadata for a DNSSEC key
dnssec-signzone — DNSSEC zone signing tool
dnssec-verify — DNSSEC zone verification tool
named-checkconf — named configuration file syntax checking tool
named-checkzone — zone file validity checking or converting tool
named — Internet domain name server
named-journalprint — print zone journal in human-readable form
named-rrchecker — A syntax checker for individual DNS resource records
nsupdate — Dynamic DNS update utility
rndc — name server control utility
rndc.conf — rndc configuration file
rndc-confgen — rndc key generation tool
ddns-confgen — ddns key generation tool
arpaname — translate IP addresses to the corresponding ARPA names
genrandom — generate a file containing random data
isc-hmac-fixup — fixes HMAC keys generated by older versions of BIND
nsec3hash — generate NSEC3 hash

BIND 9.10.2b1