1*00b67f09SDavid van Moolenbroek<!-- 2*00b67f09SDavid van Moolenbroek - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 3*00b67f09SDavid van Moolenbroek - Copyright (C) 2000-2003 Internet Software Consortium. 4*00b67f09SDavid van Moolenbroek - 5*00b67f09SDavid van Moolenbroek - Permission to use, copy, modify, and/or distribute this software for any 6*00b67f09SDavid van Moolenbroek - purpose with or without fee is hereby granted, provided that the above 7*00b67f09SDavid van Moolenbroek - copyright notice and this permission notice appear in all copies. 8*00b67f09SDavid van Moolenbroek - 9*00b67f09SDavid van Moolenbroek - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10*00b67f09SDavid van Moolenbroek - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11*00b67f09SDavid van Moolenbroek - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12*00b67f09SDavid van Moolenbroek - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13*00b67f09SDavid van Moolenbroek - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14*00b67f09SDavid van Moolenbroek - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15*00b67f09SDavid van Moolenbroek - PERFORMANCE OF THIS SOFTWARE. 16*00b67f09SDavid van Moolenbroek--> 17*00b67f09SDavid van Moolenbroek<!-- Id --> 18*00b67f09SDavid van Moolenbroek<html> 19*00b67f09SDavid van Moolenbroek<head> 20*00b67f09SDavid van Moolenbroek<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21*00b67f09SDavid van Moolenbroek<title>Chapter�1.�Introduction</title> 22*00b67f09SDavid van Moolenbroek<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23*00b67f09SDavid van Moolenbroek<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 24*00b67f09SDavid van Moolenbroek<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 25*00b67f09SDavid van Moolenbroek<link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 26*00b67f09SDavid van Moolenbroek<link rel="next" href="Bv9ARM.ch02.html" title="Chapter�2.�BIND Resource Requirements"> 27*00b67f09SDavid van Moolenbroek</head> 28*00b67f09SDavid van Moolenbroek<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> 29*00b67f09SDavid van Moolenbroek<div class="navheader"> 30*00b67f09SDavid van Moolenbroek<table width="100%" summary="Navigation header"> 31*00b67f09SDavid van Moolenbroek<tr><th colspan="3" align="center">Chapter�1.�Introduction</th></tr> 32*00b67f09SDavid van Moolenbroek<tr> 33*00b67f09SDavid van Moolenbroek<td width="20%" align="left"> 34*00b67f09SDavid van Moolenbroek<a accesskey="p" href="Bv9ARM.html">Prev</a>�</td> 35*00b67f09SDavid van Moolenbroek<th width="60%" align="center">�</th> 36*00b67f09SDavid van Moolenbroek<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch02.html">Next</a> 37*00b67f09SDavid van Moolenbroek</td> 38*00b67f09SDavid van Moolenbroek</tr> 39*00b67f09SDavid van Moolenbroek</table> 40*00b67f09SDavid van Moolenbroek<hr> 41*00b67f09SDavid van Moolenbroek</div> 42*00b67f09SDavid van Moolenbroek<div class="chapter" lang="en"> 43*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h2 class="title"> 44*00b67f09SDavid van Moolenbroek<a name="Bv9ARM.ch01"></a>Chapter�1.�Introduction</h2></div></div></div> 45*00b67f09SDavid van Moolenbroek<div class="toc"> 46*00b67f09SDavid van Moolenbroek<p><b>Table of Contents</b></p> 47*00b67f09SDavid van Moolenbroek<dl> 48*00b67f09SDavid van Moolenbroek<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563509">Scope of Document</a></span></dt> 49*00b67f09SDavid van Moolenbroek<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563533">Organization of This Document</a></span></dt> 50*00b67f09SDavid van Moolenbroek<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564629">Conventions Used in This Document</a></span></dt> 51*00b67f09SDavid van Moolenbroek<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564810">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt> 52*00b67f09SDavid van Moolenbroek<dd><dl> 53*00b67f09SDavid van Moolenbroek<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564832">DNS Fundamentals</a></span></dt> 54*00b67f09SDavid van Moolenbroek<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564934">Domains and Domain Names</a></span></dt> 55*00b67f09SDavid van Moolenbroek<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567271">Zones</a></span></dt> 56*00b67f09SDavid van Moolenbroek<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567348">Authoritative Name Servers</a></span></dt> 57*00b67f09SDavid van Moolenbroek<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567589">Caching Name Servers</a></span></dt> 58*00b67f09SDavid van Moolenbroek<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567651">Name Servers in Multiple Roles</a></span></dt> 59*00b67f09SDavid van Moolenbroek</dl></dd> 60*00b67f09SDavid van Moolenbroek</dl> 61*00b67f09SDavid van Moolenbroek</div> 62*00b67f09SDavid van Moolenbroek<p> 63*00b67f09SDavid van Moolenbroek The Internet Domain Name System (<acronym class="acronym">DNS</acronym>) 64*00b67f09SDavid van Moolenbroek consists of the syntax 65*00b67f09SDavid van Moolenbroek to specify the names of entities in the Internet in a hierarchical 66*00b67f09SDavid van Moolenbroek manner, the rules used for delegating authority over names, and the 67*00b67f09SDavid van Moolenbroek system implementation that actually maps names to Internet 68*00b67f09SDavid van Moolenbroek addresses. <acronym class="acronym">DNS</acronym> data is maintained in a 69*00b67f09SDavid van Moolenbroek group of distributed 70*00b67f09SDavid van Moolenbroek hierarchical databases. 71*00b67f09SDavid van Moolenbroek </p> 72*00b67f09SDavid van Moolenbroek<div class="sect1" lang="en"> 73*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 74*00b67f09SDavid van Moolenbroek<a name="id2563509"></a>Scope of Document</h2></div></div></div> 75*00b67f09SDavid van Moolenbroek<p> 76*00b67f09SDavid van Moolenbroek The Berkeley Internet Name Domain 77*00b67f09SDavid van Moolenbroek (<acronym class="acronym">BIND</acronym>) implements a 78*00b67f09SDavid van Moolenbroek domain name server for a number of operating systems. This 79*00b67f09SDavid van Moolenbroek document provides basic information about the installation and 80*00b67f09SDavid van Moolenbroek care of the Internet Systems Consortium (<acronym class="acronym">ISC</acronym>) 81*00b67f09SDavid van Moolenbroek <acronym class="acronym">BIND</acronym> version 9 software package for 82*00b67f09SDavid van Moolenbroek system administrators. 83*00b67f09SDavid van Moolenbroek </p> 84*00b67f09SDavid van Moolenbroek<p>This version of the manual corresponds to BIND version 9.10.</p> 85*00b67f09SDavid van Moolenbroek</div> 86*00b67f09SDavid van Moolenbroek<div class="sect1" lang="en"> 87*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 88*00b67f09SDavid van Moolenbroek<a name="id2563533"></a>Organization of This Document</h2></div></div></div> 89*00b67f09SDavid van Moolenbroek<p> 90*00b67f09SDavid van Moolenbroek In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces 91*00b67f09SDavid van Moolenbroek the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span> 92*00b67f09SDavid van Moolenbroek describes resource requirements for running <acronym class="acronym">BIND</acronym> in various 93*00b67f09SDavid van Moolenbroek environments. Information in <span class="emphasis"><em>Chapter 3</em></span> is 94*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>task-oriented</em></span> in its presentation and is 95*00b67f09SDavid van Moolenbroek organized functionally, to aid in the process of installing the 96*00b67f09SDavid van Moolenbroek <acronym class="acronym">BIND</acronym> 9 software. The task-oriented 97*00b67f09SDavid van Moolenbroek section is followed by 98*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>Chapter 4</em></span>, which contains more advanced 99*00b67f09SDavid van Moolenbroek concepts that the system administrator may need for implementing 100*00b67f09SDavid van Moolenbroek certain options. <span class="emphasis"><em>Chapter 5</em></span> 101*00b67f09SDavid van Moolenbroek describes the <acronym class="acronym">BIND</acronym> 9 lightweight 102*00b67f09SDavid van Moolenbroek resolver. The contents of <span class="emphasis"><em>Chapter 6</em></span> are 103*00b67f09SDavid van Moolenbroek organized as in a reference manual to aid in the ongoing 104*00b67f09SDavid van Moolenbroek maintenance of the software. <span class="emphasis"><em>Chapter 7</em></span> addresses 105*00b67f09SDavid van Moolenbroek security considerations, and 106*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>Chapter 8</em></span> contains troubleshooting help. The 107*00b67f09SDavid van Moolenbroek main body of the document is followed by several 108*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>appendices</em></span> which contain useful reference 109*00b67f09SDavid van Moolenbroek information, such as a <span class="emphasis"><em>bibliography</em></span> and 110*00b67f09SDavid van Moolenbroek historic information related to <acronym class="acronym">BIND</acronym> 111*00b67f09SDavid van Moolenbroek and the Domain Name 112*00b67f09SDavid van Moolenbroek System. 113*00b67f09SDavid van Moolenbroek </p> 114*00b67f09SDavid van Moolenbroek</div> 115*00b67f09SDavid van Moolenbroek<div class="sect1" lang="en"> 116*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 117*00b67f09SDavid van Moolenbroek<a name="id2564629"></a>Conventions Used in This Document</h2></div></div></div> 118*00b67f09SDavid van Moolenbroek<p> 119*00b67f09SDavid van Moolenbroek In this document, we use the following general typographic 120*00b67f09SDavid van Moolenbroek conventions: 121*00b67f09SDavid van Moolenbroek </p> 122*00b67f09SDavid van Moolenbroek<div class="informaltable"><table border="1"> 123*00b67f09SDavid van Moolenbroek<colgroup> 124*00b67f09SDavid van Moolenbroek<col> 125*00b67f09SDavid van Moolenbroek<col> 126*00b67f09SDavid van Moolenbroek</colgroup> 127*00b67f09SDavid van Moolenbroek<tbody> 128*00b67f09SDavid van Moolenbroek<tr> 129*00b67f09SDavid van Moolenbroek<td> 130*00b67f09SDavid van Moolenbroek <p> 131*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>To describe:</em></span> 132*00b67f09SDavid van Moolenbroek </p> 133*00b67f09SDavid van Moolenbroek </td> 134*00b67f09SDavid van Moolenbroek<td> 135*00b67f09SDavid van Moolenbroek <p> 136*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>We use the style:</em></span> 137*00b67f09SDavid van Moolenbroek </p> 138*00b67f09SDavid van Moolenbroek </td> 139*00b67f09SDavid van Moolenbroek</tr> 140*00b67f09SDavid van Moolenbroek<tr> 141*00b67f09SDavid van Moolenbroek<td> 142*00b67f09SDavid van Moolenbroek <p> 143*00b67f09SDavid van Moolenbroek a pathname, filename, URL, hostname, 144*00b67f09SDavid van Moolenbroek mailing list name, or new term or concept 145*00b67f09SDavid van Moolenbroek </p> 146*00b67f09SDavid van Moolenbroek </td> 147*00b67f09SDavid van Moolenbroek<td> 148*00b67f09SDavid van Moolenbroek <p> 149*00b67f09SDavid van Moolenbroek <code class="filename">Fixed width</code> 150*00b67f09SDavid van Moolenbroek </p> 151*00b67f09SDavid van Moolenbroek </td> 152*00b67f09SDavid van Moolenbroek</tr> 153*00b67f09SDavid van Moolenbroek<tr> 154*00b67f09SDavid van Moolenbroek<td> 155*00b67f09SDavid van Moolenbroek <p> 156*00b67f09SDavid van Moolenbroek literal user 157*00b67f09SDavid van Moolenbroek input 158*00b67f09SDavid van Moolenbroek </p> 159*00b67f09SDavid van Moolenbroek </td> 160*00b67f09SDavid van Moolenbroek<td> 161*00b67f09SDavid van Moolenbroek <p> 162*00b67f09SDavid van Moolenbroek <strong class="userinput"><code>Fixed Width Bold</code></strong> 163*00b67f09SDavid van Moolenbroek </p> 164*00b67f09SDavid van Moolenbroek </td> 165*00b67f09SDavid van Moolenbroek</tr> 166*00b67f09SDavid van Moolenbroek<tr> 167*00b67f09SDavid van Moolenbroek<td> 168*00b67f09SDavid van Moolenbroek <p> 169*00b67f09SDavid van Moolenbroek program output 170*00b67f09SDavid van Moolenbroek </p> 171*00b67f09SDavid van Moolenbroek </td> 172*00b67f09SDavid van Moolenbroek<td> 173*00b67f09SDavid van Moolenbroek <p> 174*00b67f09SDavid van Moolenbroek <code class="computeroutput">Fixed Width</code> 175*00b67f09SDavid van Moolenbroek </p> 176*00b67f09SDavid van Moolenbroek </td> 177*00b67f09SDavid van Moolenbroek</tr> 178*00b67f09SDavid van Moolenbroek</tbody> 179*00b67f09SDavid van Moolenbroek</table></div> 180*00b67f09SDavid van Moolenbroek<p> 181*00b67f09SDavid van Moolenbroek The following conventions are used in descriptions of the 182*00b67f09SDavid van Moolenbroek <acronym class="acronym">BIND</acronym> configuration file:</p> 183*00b67f09SDavid van Moolenbroek<div class="informaltable"><table border="1"> 184*00b67f09SDavid van Moolenbroek<colgroup> 185*00b67f09SDavid van Moolenbroek<col> 186*00b67f09SDavid van Moolenbroek<col> 187*00b67f09SDavid van Moolenbroek</colgroup> 188*00b67f09SDavid van Moolenbroek<tbody> 189*00b67f09SDavid van Moolenbroek<tr> 190*00b67f09SDavid van Moolenbroek<td> 191*00b67f09SDavid van Moolenbroek <p> 192*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>To describe:</em></span> 193*00b67f09SDavid van Moolenbroek </p> 194*00b67f09SDavid van Moolenbroek </td> 195*00b67f09SDavid van Moolenbroek<td> 196*00b67f09SDavid van Moolenbroek <p> 197*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>We use the style:</em></span> 198*00b67f09SDavid van Moolenbroek </p> 199*00b67f09SDavid van Moolenbroek </td> 200*00b67f09SDavid van Moolenbroek</tr> 201*00b67f09SDavid van Moolenbroek<tr> 202*00b67f09SDavid van Moolenbroek<td> 203*00b67f09SDavid van Moolenbroek <p> 204*00b67f09SDavid van Moolenbroek keywords 205*00b67f09SDavid van Moolenbroek </p> 206*00b67f09SDavid van Moolenbroek </td> 207*00b67f09SDavid van Moolenbroek<td> 208*00b67f09SDavid van Moolenbroek <p> 209*00b67f09SDavid van Moolenbroek <code class="literal">Fixed Width</code> 210*00b67f09SDavid van Moolenbroek </p> 211*00b67f09SDavid van Moolenbroek </td> 212*00b67f09SDavid van Moolenbroek</tr> 213*00b67f09SDavid van Moolenbroek<tr> 214*00b67f09SDavid van Moolenbroek<td> 215*00b67f09SDavid van Moolenbroek <p> 216*00b67f09SDavid van Moolenbroek variables 217*00b67f09SDavid van Moolenbroek </p> 218*00b67f09SDavid van Moolenbroek </td> 219*00b67f09SDavid van Moolenbroek<td> 220*00b67f09SDavid van Moolenbroek <p> 221*00b67f09SDavid van Moolenbroek <code class="varname">Fixed Width</code> 222*00b67f09SDavid van Moolenbroek </p> 223*00b67f09SDavid van Moolenbroek </td> 224*00b67f09SDavid van Moolenbroek</tr> 225*00b67f09SDavid van Moolenbroek<tr> 226*00b67f09SDavid van Moolenbroek<td> 227*00b67f09SDavid van Moolenbroek <p> 228*00b67f09SDavid van Moolenbroek Optional input 229*00b67f09SDavid van Moolenbroek </p> 230*00b67f09SDavid van Moolenbroek </td> 231*00b67f09SDavid van Moolenbroek<td> 232*00b67f09SDavid van Moolenbroek <p> 233*00b67f09SDavid van Moolenbroek [<span class="optional">Text is enclosed in square brackets</span>] 234*00b67f09SDavid van Moolenbroek </p> 235*00b67f09SDavid van Moolenbroek </td> 236*00b67f09SDavid van Moolenbroek</tr> 237*00b67f09SDavid van Moolenbroek</tbody> 238*00b67f09SDavid van Moolenbroek</table></div> 239*00b67f09SDavid van Moolenbroek<p> 240*00b67f09SDavid van Moolenbroek </p> 241*00b67f09SDavid van Moolenbroek</div> 242*00b67f09SDavid van Moolenbroek<div class="sect1" lang="en"> 243*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 244*00b67f09SDavid van Moolenbroek<a name="id2564810"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div> 245*00b67f09SDavid van Moolenbroek<p> 246*00b67f09SDavid van Moolenbroek The purpose of this document is to explain the installation 247*00b67f09SDavid van Moolenbroek and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet 248*00b67f09SDavid van Moolenbroek Name Domain) software package, and we 249*00b67f09SDavid van Moolenbroek begin by reviewing the fundamentals of the Domain Name System 250*00b67f09SDavid van Moolenbroek (<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>. 251*00b67f09SDavid van Moolenbroek </p> 252*00b67f09SDavid van Moolenbroek<div class="sect2" lang="en"> 253*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h3 class="title"> 254*00b67f09SDavid van Moolenbroek<a name="id2564832"></a>DNS Fundamentals</h3></div></div></div> 255*00b67f09SDavid van Moolenbroek<p> 256*00b67f09SDavid van Moolenbroek The Domain Name System (DNS) is a hierarchical, distributed 257*00b67f09SDavid van Moolenbroek database. It stores information for mapping Internet host names to 258*00b67f09SDavid van Moolenbroek IP 259*00b67f09SDavid van Moolenbroek addresses and vice versa, mail routing information, and other data 260*00b67f09SDavid van Moolenbroek used by Internet applications. 261*00b67f09SDavid van Moolenbroek </p> 262*00b67f09SDavid van Moolenbroek<p> 263*00b67f09SDavid van Moolenbroek Clients look up information in the DNS by calling a 264*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>resolver</em></span> library, which sends queries to one or 265*00b67f09SDavid van Moolenbroek more <span class="emphasis"><em>name servers</em></span> and interprets the responses. 266*00b67f09SDavid van Moolenbroek The <acronym class="acronym">BIND</acronym> 9 software distribution 267*00b67f09SDavid van Moolenbroek contains a 268*00b67f09SDavid van Moolenbroek name server, <span><strong class="command">named</strong></span>, and a resolver 269*00b67f09SDavid van Moolenbroek library, <span><strong class="command">liblwres</strong></span>. The older 270*00b67f09SDavid van Moolenbroek <span><strong class="command">libbind</strong></span> resolver library is also available 271*00b67f09SDavid van Moolenbroek from ISC as a separate download. 272*00b67f09SDavid van Moolenbroek </p> 273*00b67f09SDavid van Moolenbroek</div> 274*00b67f09SDavid van Moolenbroek<div class="sect2" lang="en"> 275*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h3 class="title"> 276*00b67f09SDavid van Moolenbroek<a name="id2564934"></a>Domains and Domain Names</h3></div></div></div> 277*00b67f09SDavid van Moolenbroek<p> 278*00b67f09SDavid van Moolenbroek The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to 279*00b67f09SDavid van Moolenbroek organizational or administrative boundaries. Each node of the tree, 280*00b67f09SDavid van Moolenbroek called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain 281*00b67f09SDavid van Moolenbroek name of the 282*00b67f09SDavid van Moolenbroek node is the concatenation of all the labels on the path from the 283*00b67f09SDavid van Moolenbroek node to the <span class="emphasis"><em>root</em></span> node. This is represented 284*00b67f09SDavid van Moolenbroek in written form as a string of labels listed from right to left and 285*00b67f09SDavid van Moolenbroek separated by dots. A label need only be unique within its parent 286*00b67f09SDavid van Moolenbroek domain. 287*00b67f09SDavid van Moolenbroek </p> 288*00b67f09SDavid van Moolenbroek<p> 289*00b67f09SDavid van Moolenbroek For example, a domain name for a host at the 290*00b67f09SDavid van Moolenbroek company <span class="emphasis"><em>Example, Inc.</em></span> could be 291*00b67f09SDavid van Moolenbroek <code class="literal">ourhost.example.com</code>, 292*00b67f09SDavid van Moolenbroek where <code class="literal">com</code> is the 293*00b67f09SDavid van Moolenbroek top level domain to which 294*00b67f09SDavid van Moolenbroek <code class="literal">ourhost.example.com</code> belongs, 295*00b67f09SDavid van Moolenbroek <code class="literal">example</code> is 296*00b67f09SDavid van Moolenbroek a subdomain of <code class="literal">com</code>, and 297*00b67f09SDavid van Moolenbroek <code class="literal">ourhost</code> is the 298*00b67f09SDavid van Moolenbroek name of the host. 299*00b67f09SDavid van Moolenbroek </p> 300*00b67f09SDavid van Moolenbroek<p> 301*00b67f09SDavid van Moolenbroek For administrative purposes, the name space is partitioned into 302*00b67f09SDavid van Moolenbroek areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and 303*00b67f09SDavid van Moolenbroek extending down to the leaf nodes or to nodes where other zones 304*00b67f09SDavid van Moolenbroek start. 305*00b67f09SDavid van Moolenbroek The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the 306*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>DNS protocol</em></span>. 307*00b67f09SDavid van Moolenbroek </p> 308*00b67f09SDavid van Moolenbroek<p> 309*00b67f09SDavid van Moolenbroek The data associated with each domain name is stored in the 310*00b67f09SDavid van Moolenbroek form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s). 311*00b67f09SDavid van Moolenbroek Some of the supported resource record types are described in 312*00b67f09SDavid van Moolenbroek <a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called “Types of Resource Records and When to Use Them”</a>. 313*00b67f09SDavid van Moolenbroek </p> 314*00b67f09SDavid van Moolenbroek<p> 315*00b67f09SDavid van Moolenbroek For more detailed information about the design of the DNS and 316*00b67f09SDavid van Moolenbroek the DNS protocol, please refer to the standards documents listed in 317*00b67f09SDavid van Moolenbroek <a href="Bv9ARM.ch11.html#rfcs" title="Request for Comments (RFCs)">the section called “Request for Comments (RFCs)”</a>. 318*00b67f09SDavid van Moolenbroek </p> 319*00b67f09SDavid van Moolenbroek</div> 320*00b67f09SDavid van Moolenbroek<div class="sect2" lang="en"> 321*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h3 class="title"> 322*00b67f09SDavid van Moolenbroek<a name="id2567271"></a>Zones</h3></div></div></div> 323*00b67f09SDavid van Moolenbroek<p> 324*00b67f09SDavid van Moolenbroek To properly operate a name server, it is important to understand 325*00b67f09SDavid van Moolenbroek the difference between a <span class="emphasis"><em>zone</em></span> 326*00b67f09SDavid van Moolenbroek and a <span class="emphasis"><em>domain</em></span>. 327*00b67f09SDavid van Moolenbroek </p> 328*00b67f09SDavid van Moolenbroek<p> 329*00b67f09SDavid van Moolenbroek As stated previously, a zone is a point of delegation in 330*00b67f09SDavid van Moolenbroek the <acronym class="acronym">DNS</acronym> tree. A zone consists of 331*00b67f09SDavid van Moolenbroek those contiguous parts of the domain 332*00b67f09SDavid van Moolenbroek tree for which a name server has complete information and over which 333*00b67f09SDavid van Moolenbroek it has authority. It contains all domain names from a certain point 334*00b67f09SDavid van Moolenbroek downward in the domain tree except those which are delegated to 335*00b67f09SDavid van Moolenbroek other zones. A delegation point is marked by one or more 336*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>NS records</em></span> in the 337*00b67f09SDavid van Moolenbroek parent zone, which should be matched by equivalent NS records at 338*00b67f09SDavid van Moolenbroek the root of the delegated zone. 339*00b67f09SDavid van Moolenbroek </p> 340*00b67f09SDavid van Moolenbroek<p> 341*00b67f09SDavid van Moolenbroek For instance, consider the <code class="literal">example.com</code> 342*00b67f09SDavid van Moolenbroek domain which includes names 343*00b67f09SDavid van Moolenbroek such as <code class="literal">host.aaa.example.com</code> and 344*00b67f09SDavid van Moolenbroek <code class="literal">host.bbb.example.com</code> even though 345*00b67f09SDavid van Moolenbroek the <code class="literal">example.com</code> zone includes 346*00b67f09SDavid van Moolenbroek only delegations for the <code class="literal">aaa.example.com</code> and 347*00b67f09SDavid van Moolenbroek <code class="literal">bbb.example.com</code> zones. A zone can 348*00b67f09SDavid van Moolenbroek map 349*00b67f09SDavid van Moolenbroek exactly to a single domain, but could also include only part of a 350*00b67f09SDavid van Moolenbroek domain, the rest of which could be delegated to other 351*00b67f09SDavid van Moolenbroek name servers. Every name in the <acronym class="acronym">DNS</acronym> 352*00b67f09SDavid van Moolenbroek tree is a 353*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>domain</em></span>, even if it is 354*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>terminal</em></span>, that is, has no 355*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>subdomains</em></span>. Every subdomain is a domain and 356*00b67f09SDavid van Moolenbroek every domain except the root is also a subdomain. The terminology is 357*00b67f09SDavid van Moolenbroek not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 358*00b67f09SDavid van Moolenbroek to 359*00b67f09SDavid van Moolenbroek gain a complete understanding of this difficult and subtle 360*00b67f09SDavid van Moolenbroek topic. 361*00b67f09SDavid van Moolenbroek </p> 362*00b67f09SDavid van Moolenbroek<p> 363*00b67f09SDavid van Moolenbroek Though <acronym class="acronym">BIND</acronym> is called a "domain name 364*00b67f09SDavid van Moolenbroek server", 365*00b67f09SDavid van Moolenbroek it deals primarily in terms of zones. The master and slave 366*00b67f09SDavid van Moolenbroek declarations in the <code class="filename">named.conf</code> file 367*00b67f09SDavid van Moolenbroek specify 368*00b67f09SDavid van Moolenbroek zones, not domains. When you ask some other site if it is willing to 369*00b67f09SDavid van Moolenbroek be a slave server for your <span class="emphasis"><em>domain</em></span>, you are 370*00b67f09SDavid van Moolenbroek actually asking for slave service for some collection of zones. 371*00b67f09SDavid van Moolenbroek </p> 372*00b67f09SDavid van Moolenbroek</div> 373*00b67f09SDavid van Moolenbroek<div class="sect2" lang="en"> 374*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h3 class="title"> 375*00b67f09SDavid van Moolenbroek<a name="id2567348"></a>Authoritative Name Servers</h3></div></div></div> 376*00b67f09SDavid van Moolenbroek<p> 377*00b67f09SDavid van Moolenbroek Each zone is served by at least 378*00b67f09SDavid van Moolenbroek one <span class="emphasis"><em>authoritative name server</em></span>, 379*00b67f09SDavid van Moolenbroek which contains the complete data for the zone. 380*00b67f09SDavid van Moolenbroek To make the DNS tolerant of server and network failures, 381*00b67f09SDavid van Moolenbroek most zones have two or more authoritative servers, on 382*00b67f09SDavid van Moolenbroek different networks. 383*00b67f09SDavid van Moolenbroek </p> 384*00b67f09SDavid van Moolenbroek<p> 385*00b67f09SDavid van Moolenbroek Responses from authoritative servers have the "authoritative 386*00b67f09SDavid van Moolenbroek answer" (AA) bit set in the response packets. This makes them 387*00b67f09SDavid van Moolenbroek easy to identify when debugging DNS configurations using tools like 388*00b67f09SDavid van Moolenbroek <span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called “Diagnostic Tools”</a>). 389*00b67f09SDavid van Moolenbroek </p> 390*00b67f09SDavid van Moolenbroek<div class="sect3" lang="en"> 391*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h4 class="title"> 392*00b67f09SDavid van Moolenbroek<a name="id2567371"></a>The Primary Master</h4></div></div></div> 393*00b67f09SDavid van Moolenbroek<p> 394*00b67f09SDavid van Moolenbroek The authoritative server where the master copy of the zone 395*00b67f09SDavid van Moolenbroek data is maintained is called the 396*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>primary master</em></span> server, or simply the 397*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>primary</em></span>. Typically it loads the zone 398*00b67f09SDavid van Moolenbroek contents from some local file edited by humans or perhaps 399*00b67f09SDavid van Moolenbroek generated mechanically from some other local file which is 400*00b67f09SDavid van Moolenbroek edited by humans. This file is called the 401*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>zone file</em></span> or 402*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>master file</em></span>. 403*00b67f09SDavid van Moolenbroek </p> 404*00b67f09SDavid van Moolenbroek<p> 405*00b67f09SDavid van Moolenbroek In some cases, however, the master file may not be edited 406*00b67f09SDavid van Moolenbroek by humans at all, but may instead be the result of 407*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>dynamic update</em></span> operations. 408*00b67f09SDavid van Moolenbroek </p> 409*00b67f09SDavid van Moolenbroek</div> 410*00b67f09SDavid van Moolenbroek<div class="sect3" lang="en"> 411*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h4 class="title"> 412*00b67f09SDavid van Moolenbroek<a name="id2567401"></a>Slave Servers</h4></div></div></div> 413*00b67f09SDavid van Moolenbroek<p> 414*00b67f09SDavid van Moolenbroek The other authoritative servers, the <span class="emphasis"><em>slave</em></span> 415*00b67f09SDavid van Moolenbroek servers (also known as <span class="emphasis"><em>secondary</em></span> servers) 416*00b67f09SDavid van Moolenbroek load 417*00b67f09SDavid van Moolenbroek the zone contents from another server using a replication process 418*00b67f09SDavid van Moolenbroek known as a <span class="emphasis"><em>zone transfer</em></span>. Typically the data 419*00b67f09SDavid van Moolenbroek are 420*00b67f09SDavid van Moolenbroek transferred directly from the primary master, but it is also 421*00b67f09SDavid van Moolenbroek possible 422*00b67f09SDavid van Moolenbroek to transfer it from another slave. In other words, a slave server 423*00b67f09SDavid van Moolenbroek may itself act as a master to a subordinate slave server. 424*00b67f09SDavid van Moolenbroek </p> 425*00b67f09SDavid van Moolenbroek</div> 426*00b67f09SDavid van Moolenbroek<div class="sect3" lang="en"> 427*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h4 class="title"> 428*00b67f09SDavid van Moolenbroek<a name="id2567422"></a>Stealth Servers</h4></div></div></div> 429*00b67f09SDavid van Moolenbroek<p> 430*00b67f09SDavid van Moolenbroek Usually all of the zone's authoritative servers are listed in 431*00b67f09SDavid van Moolenbroek NS records in the parent zone. These NS records constitute 432*00b67f09SDavid van Moolenbroek a <span class="emphasis"><em>delegation</em></span> of the zone from the parent. 433*00b67f09SDavid van Moolenbroek The authoritative servers are also listed in the zone file itself, 434*00b67f09SDavid van Moolenbroek at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span> 435*00b67f09SDavid van Moolenbroek of the zone. You can list servers in the zone's top-level NS 436*00b67f09SDavid van Moolenbroek records that are not in the parent's NS delegation, but you cannot 437*00b67f09SDavid van Moolenbroek list servers in the parent's delegation that are not present at 438*00b67f09SDavid van Moolenbroek the zone's top level. 439*00b67f09SDavid van Moolenbroek </p> 440*00b67f09SDavid van Moolenbroek<p> 441*00b67f09SDavid van Moolenbroek A <span class="emphasis"><em>stealth server</em></span> is a server that is 442*00b67f09SDavid van Moolenbroek authoritative for a zone but is not listed in that zone's NS 443*00b67f09SDavid van Moolenbroek records. Stealth servers can be used for keeping a local copy of 444*00b67f09SDavid van Moolenbroek a 445*00b67f09SDavid van Moolenbroek zone to speed up access to the zone's records or to make sure that 446*00b67f09SDavid van Moolenbroek the 447*00b67f09SDavid van Moolenbroek zone is available even if all the "official" servers for the zone 448*00b67f09SDavid van Moolenbroek are 449*00b67f09SDavid van Moolenbroek inaccessible. 450*00b67f09SDavid van Moolenbroek </p> 451*00b67f09SDavid van Moolenbroek<p> 452*00b67f09SDavid van Moolenbroek A configuration where the primary master server itself is a 453*00b67f09SDavid van Moolenbroek stealth server is often referred to as a "hidden primary" 454*00b67f09SDavid van Moolenbroek configuration. One use for this configuration is when the primary 455*00b67f09SDavid van Moolenbroek master 456*00b67f09SDavid van Moolenbroek is behind a firewall and therefore unable to communicate directly 457*00b67f09SDavid van Moolenbroek with the outside world. 458*00b67f09SDavid van Moolenbroek </p> 459*00b67f09SDavid van Moolenbroek</div> 460*00b67f09SDavid van Moolenbroek</div> 461*00b67f09SDavid van Moolenbroek<div class="sect2" lang="en"> 462*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h3 class="title"> 463*00b67f09SDavid van Moolenbroek<a name="id2567589"></a>Caching Name Servers</h3></div></div></div> 464*00b67f09SDavid van Moolenbroek<p> 465*00b67f09SDavid van Moolenbroek The resolver libraries provided by most operating systems are 466*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not 467*00b67f09SDavid van Moolenbroek capable of 468*00b67f09SDavid van Moolenbroek performing the full DNS resolution process by themselves by talking 469*00b67f09SDavid van Moolenbroek directly to the authoritative servers. Instead, they rely on a 470*00b67f09SDavid van Moolenbroek local 471*00b67f09SDavid van Moolenbroek name server to perform the resolution on their behalf. Such a 472*00b67f09SDavid van Moolenbroek server 473*00b67f09SDavid van Moolenbroek is called a <span class="emphasis"><em>recursive</em></span> name server; it performs 474*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>recursive lookups</em></span> for local clients. 475*00b67f09SDavid van Moolenbroek </p> 476*00b67f09SDavid van Moolenbroek<p> 477*00b67f09SDavid van Moolenbroek To improve performance, recursive servers cache the results of 478*00b67f09SDavid van Moolenbroek the lookups they perform. Since the processes of recursion and 479*00b67f09SDavid van Moolenbroek caching are intimately connected, the terms 480*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>recursive server</em></span> and 481*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>caching server</em></span> are often used synonymously. 482*00b67f09SDavid van Moolenbroek </p> 483*00b67f09SDavid van Moolenbroek<p> 484*00b67f09SDavid van Moolenbroek The length of time for which a record may be retained in 485*00b67f09SDavid van Moolenbroek the cache of a caching name server is controlled by the 486*00b67f09SDavid van Moolenbroek Time To Live (TTL) field associated with each resource record. 487*00b67f09SDavid van Moolenbroek </p> 488*00b67f09SDavid van Moolenbroek<div class="sect3" lang="en"> 489*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h4 class="title"> 490*00b67f09SDavid van Moolenbroek<a name="id2567624"></a>Forwarding</h4></div></div></div> 491*00b67f09SDavid van Moolenbroek<p> 492*00b67f09SDavid van Moolenbroek Even a caching name server does not necessarily perform 493*00b67f09SDavid van Moolenbroek the complete recursive lookup itself. Instead, it can 494*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>forward</em></span> some or all of the queries 495*00b67f09SDavid van Moolenbroek that it cannot satisfy from its cache to another caching name 496*00b67f09SDavid van Moolenbroek server, 497*00b67f09SDavid van Moolenbroek commonly referred to as a <span class="emphasis"><em>forwarder</em></span>. 498*00b67f09SDavid van Moolenbroek </p> 499*00b67f09SDavid van Moolenbroek<p> 500*00b67f09SDavid van Moolenbroek There may be one or more forwarders, 501*00b67f09SDavid van Moolenbroek and they are queried in turn until the list is exhausted or an 502*00b67f09SDavid van Moolenbroek answer 503*00b67f09SDavid van Moolenbroek is found. Forwarders are typically used when you do not 504*00b67f09SDavid van Moolenbroek wish all the servers at a given site to interact directly with the 505*00b67f09SDavid van Moolenbroek rest of 506*00b67f09SDavid van Moolenbroek the Internet servers. A typical scenario would involve a number 507*00b67f09SDavid van Moolenbroek of internal <acronym class="acronym">DNS</acronym> servers and an 508*00b67f09SDavid van Moolenbroek Internet firewall. Servers unable 509*00b67f09SDavid van Moolenbroek to pass packets through the firewall would forward to the server 510*00b67f09SDavid van Moolenbroek that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers 511*00b67f09SDavid van Moolenbroek on the internal server's behalf. 512*00b67f09SDavid van Moolenbroek </p> 513*00b67f09SDavid van Moolenbroek</div> 514*00b67f09SDavid van Moolenbroek</div> 515*00b67f09SDavid van Moolenbroek<div class="sect2" lang="en"> 516*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h3 class="title"> 517*00b67f09SDavid van Moolenbroek<a name="id2567651"></a>Name Servers in Multiple Roles</h3></div></div></div> 518*00b67f09SDavid van Moolenbroek<p> 519*00b67f09SDavid van Moolenbroek The <acronym class="acronym">BIND</acronym> name server can 520*00b67f09SDavid van Moolenbroek simultaneously act as 521*00b67f09SDavid van Moolenbroek a master for some zones, a slave for other zones, and as a caching 522*00b67f09SDavid van Moolenbroek (recursive) server for a set of local clients. 523*00b67f09SDavid van Moolenbroek </p> 524*00b67f09SDavid van Moolenbroek<p> 525*00b67f09SDavid van Moolenbroek However, since the functions of authoritative name service 526*00b67f09SDavid van Moolenbroek and caching/recursive name service are logically separate, it is 527*00b67f09SDavid van Moolenbroek often advantageous to run them on separate server machines. 528*00b67f09SDavid van Moolenbroek 529*00b67f09SDavid van Moolenbroek A server that only provides authoritative name service 530*00b67f09SDavid van Moolenbroek (an <span class="emphasis"><em>authoritative-only</em></span> server) can run with 531*00b67f09SDavid van Moolenbroek recursion disabled, improving reliability and security. 532*00b67f09SDavid van Moolenbroek 533*00b67f09SDavid van Moolenbroek A server that is not authoritative for any zones and only provides 534*00b67f09SDavid van Moolenbroek recursive service to local 535*00b67f09SDavid van Moolenbroek clients (a <span class="emphasis"><em>caching-only</em></span> server) 536*00b67f09SDavid van Moolenbroek does not need to be reachable from the Internet at large and can 537*00b67f09SDavid van Moolenbroek be placed inside a firewall. 538*00b67f09SDavid van Moolenbroek </p> 539*00b67f09SDavid van Moolenbroek</div> 540*00b67f09SDavid van Moolenbroek</div> 541*00b67f09SDavid van Moolenbroek</div> 542*00b67f09SDavid van Moolenbroek<div class="navfooter"> 543*00b67f09SDavid van Moolenbroek<hr> 544*00b67f09SDavid van Moolenbroek<table width="100%" summary="Navigation footer"> 545*00b67f09SDavid van Moolenbroek<tr> 546*00b67f09SDavid van Moolenbroek<td width="40%" align="left"> 547*00b67f09SDavid van Moolenbroek<a accesskey="p" href="Bv9ARM.html">Prev</a>�</td> 548*00b67f09SDavid van Moolenbroek<td width="20%" align="center">�</td> 549*00b67f09SDavid van Moolenbroek<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch02.html">Next</a> 550*00b67f09SDavid van Moolenbroek</td> 551*00b67f09SDavid van Moolenbroek</tr> 552*00b67f09SDavid van Moolenbroek<tr> 553*00b67f09SDavid van Moolenbroek<td width="40%" align="left" valign="top">BIND 9 Administrator Reference Manual�</td> 554*00b67f09SDavid van Moolenbroek<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> 555*00b67f09SDavid van Moolenbroek<td width="40%" align="right" valign="top">�Chapter�2.�<acronym class="acronym">BIND</acronym> Resource Requirements</td> 556*00b67f09SDavid van Moolenbroek</tr> 557*00b67f09SDavid van Moolenbroek</table> 558*00b67f09SDavid van Moolenbroek</div> 559*00b67f09SDavid van Moolenbroek<p style="text-align: center;">BIND 9.10.2-P4</p> 560*00b67f09SDavid van Moolenbroek</body> 561*00b67f09SDavid van Moolenbroek</html> 562