BIND 9 Administrator Reference Manual

BIND Version 9.11.4-P1


Table of Contents

1. Introduction
Scope of Document
Organization of This Document
Conventions Used in This Document
The Domain Name System (DNS)
DNS Fundamentals
Domains and Domain Names
Zones
Authoritative Name Servers
Caching Name Servers
Name Servers in Multiple Roles
2. BIND Resource Requirements
Hardware requirements
CPU Requirements
Memory Requirements
Name Server Intensive Environment Issues
Supported Operating Systems
3. Name Server Configuration
Sample Configurations
A Caching-only Name Server
An Authoritative-only Name Server
Load Balancing
Name Server Operations
Tools for Use With the Name Server Daemon
Signals
4. Advanced DNS Features
Notify
Dynamic Update
The journal file
Incremental Zone Transfers (IXFR)
Split DNS
Example split DNS setup
TSIG
Generating a Shared Key
Loading A New Key
Instructing the Server to Use a Key
TSIG-Based Access Control
Errors
TKEY
SIG(0)
DNSSEC
Generating Keys
Signing the Zone
Configuring Servers
DNSSEC, Dynamic Zones, and Automatic Signing
Converting from insecure to secure
Dynamic DNS update method
Fully automatic zone signing
Private-type records
DNSKEY rollovers
Dynamic DNS update method
Automatic key rollovers
NSEC3PARAM rollovers via UPDATE
Converting from NSEC to NSEC3
Converting from NSEC3 to NSEC
Converting from secure to insecure
Periodic re-signing
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
Validating Resolver
Authoritative Server
PKCS#11 (Cryptoki) support
Prerequisites
Native PKCS#11
OpenSSL-based PKCS#11
PKCS#11 Tools
Using the HSM
Specifying the engine on the command line
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
Configuring DLZ
Sample DLZ Driver
DynDB (Dynamic Database)
Configuring DynDB
Sample DynDB Module
Catalog Zones
Principle of Operation
Configuring Catalog Zones
Catalog Zone format
IPv6 Support in BIND 9
Address Lookups Using AAAA Records
Address to Name Lookups Using Nibble Format
5. The BIND 9 Lightweight Resolver
The Lightweight Resolver Library
Running a Resolver Daemon
6. BIND 9 Configuration Reference
Configuration File Elements
Address Match Lists
Comment Syntax
Configuration File Grammar
acl Statement Grammar
acl Statement Definition and Usage
controls Statement Grammar
controls Statement Definition and Usage
include Statement Grammar
include Statement Definition and Usage
key Statement Grammar
key Statement Definition and Usage
logging Statement Grammar
logging Statement Definition and Usage
lwres Statement Grammar
lwres Statement Definition and Usage
masters Statement Grammar
masters Statement Definition and Usage
options Statement Grammar
options Statement Definition and Usage
server Statement Grammar
server Statement Definition and Usage
statistics-channels Statement Grammar
statistics-channels Statement Definition and Usage
trusted-keys Statement Grammar
trusted-keys Statement Definition and Usage
managed-keys Statement Grammar
managed-keys Statement Definition and Usage
view Statement Grammar
view Statement Definition and Usage
zone Statement Grammar
zone Statement Definition and Usage
Zone File
Types of Resource Records and When to Use Them
Discussion of MX Records
Setting TTLs
Inverse Mapping in IPv4
Other Zone File Directives
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
The Statistics File
Statistics Counters
7. BIND 9 Security Considerations
Access Control Lists
Chroot and Setuid
The chroot Environment
Using the setuid Function
Dynamic Update Security
8. Troubleshooting
Common Problems
It's not working; how can I figure out what's wrong?
Incrementing and Changing the Serial Number
Where Can I Get Help?
A. Release Notes
Release Notes for BIND Version 9.11.4-P1
Introduction
Download
License Change
Legacy Windows No Longer Supported
Security Fixes
New Features
Removed Features
Feature Changes
Bug Fixes
End of Life
Thank You
B. A Brief History of the DNS and BIND
C. General DNS Reference Information
IPv6 addresses (AAAA)
Bibliography (and Suggested Reading)
Request for Comments (RFCs)
Internet Drafts
Other Documents About BIND
D. BIND 9 DNS Library Support
BIND 9 DNS Library Support
Installation
Known Defects/Restrictions
The dns.conf File
Sample Applications
Library References
I. Manual pages
dig — DNS lookup utility
mdig — DNS pipelined lookup utility
host — DNS lookup utility
delv — DNS lookup and validation utility
nslookup — query Internet name servers interactively
dnssec-checkds — DNSSEC delegation consistency checking tool
dnssec-coverage — checks future DNSKEY coverage for a zone
dnssec-dsfromkey — DNSSEC DS RR generation tool
dnssec-importkey — import DNSKEY records from external systems so they can be managed
dnssec-keyfromlabel — DNSSEC key generation tool
dnssec-keygen — DNSSEC key generation tool
dnssec-keymgr — Ensures correct DNSKEY coverage for a zone based on a defined policy
dnssec-revoke — set the REVOKED bit on a DNSSEC key
dnssec-settime — set the key timing metadata for a DNSSEC key
dnssec-signzone — DNSSEC zone signing tool
dnssec-verify — DNSSEC zone verification tool
lwresd — lightweight resolver daemon
named — Internet domain name server
named.conf — configuration file for named
named-checkconf — named configuration file syntax checking tool
named-checkzone — zone file validity checking or converting tool
named-journalprint — print zone journal in human-readable form
named-nzd2nzf — Convert an NZD database to NZF text format
named-rrchecker — syntax checker for individual DNS resource records
nsupdate — Dynamic DNS update utility
rndc — name server control utility
rndc.conf — rndc configuration file
rndc-confgen — rndc key generation tool
ddns-confgen — ddns key generation tool
arpaname — translate IP addresses to the corresponding ARPA names
dnstap-read — print dnstap data in human-readable form
genrandom — generate a file containing random data
isc-hmac-fixup — fixes HMAC keys generated by older versions of BIND
nsec3hash — generate NSEC3 hash
pkcs11-destroy — destroy PKCS#11 objects
pkcs11-list — list PKCS#11 objects
pkcs11-keygen — generate keys on a PKCS#11 device
pkcs11-tokens — list PKCS#11 available tokens

BIND 9.11.4-P1 (Extended Support Version)