BIND 9 Administrator Reference Manual

Total Page:16

File Type:pdf, Size:1020Kb

BIND 9 Administrator Reference Manual BIND 9 Administrator Reference Manual BIND 9.11.31 (Extended Support Version) Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC") This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. Internet Systems Consortium, Inc. PO Box 360 Newmarket, NH 03857 USA https://www.isc.org/ Contents 1 Introduction 1 1.1 Scope of Document . .1 1.2 Organization of This Document . .1 1.3 Conventions Used in This Document . .1 1.4 The Domain Name System (DNS) . .2 DNS Fundamentals . .2 Domains and Domain Names . .2 Zones . .3 Authoritative Name Servers . .3 The Primary Server . .3 Secondary Servers . .4 Stealth Servers . .4 Caching Name Servers . .4 Forwarding . .5 Name Servers in Multiple Roles . .5 2 BIND Resource Requirements7 2.1 Hardware requirements . .7 2.2 CPU Requirements . .7 2.3 Memory Requirements . .7 2.4 Name Server-Intensive Environment Issues . .7 2.5 Supported Operating Systems . .8 iii BIND 9.11.31 CONTENTS CONTENTS 3 Name Server Configuration9 3.1 Sample Configurations . .9 A Caching-only Name Server . .9 An Authoritative-only Name Server . .9 3.2 Load Balancing . 10 3.3 Name Server Operations . 11 Tools for Use With the Name Server Daemon . 11 Diagnostic Tools . 11 Administrative Tools . 12 Signals . 13 4 Advanced DNS Features 15 4.1 Notify . 15 4.2 Dynamic Update . 15 The Journal File . 16 4.3 Incremental Zone Transfers (IXFR) . 16 4.4 Split DNS . 17 Example Split DNS Setup . 17 4.5 TSIG . 20 Generating a Shared Key . 21 Loading a New Key . 21 Instructing the Server to Use a Key . 22 TSIG-Based Access Control . 22 Errors . 22 4.6 TKEY . 23 4.7 SIG(0) . 23 4.8 DNSSEC . 24 Generating Keys . 24 Signing the Zone . 24 Configuring Servers for DNSSEC . 25 4.9 DNSSEC, Dynamic Zones, and Automatic Signing . 27 Converting from insecure to secure . 27 Dynamic DNS Update Method . 28 Fully Automatic Zone Signing . 28 BIND 9.11.31 iv CONTENTS CONTENTS Private Type Records . 29 DNSKEY Rollovers . 30 Dynamic DNS Update Method . 30 Automatic Key Rollovers . 30 NSEC3PARAM Rollovers via UPDATE . 30 Converting From NSEC to NSEC3 . 31 Converting From NSEC3 to NSEC . 31 Converting From Secure to Insecure . 31 Periodic Re-signing . 31 NSEC3 and OPTOUT . 31 4.10 Dynamic Trust Anchor Management . 31 Validating Resolver . 32 Authoritative Server . 32 4.11 PKCS#11 (Cryptoki) Support . 33 Prerequisites . 33 Native PKCS#11 . 33 Building SoftHSMv2 . 34 OpenSSL-based PKCS#11 . 34 Patching OpenSSL . 35 Building OpenSSL for the AEP Keyper on Linux . 35 Building OpenSSL for the SCA 6000 on Solaris . 36 Building OpenSSL for SoftHSM . 36 Configuring BIND 9 for Linux with the AEP Keyper . 37 Configuring BIND 9 for Solaris with the SCA 6000 . 37 Configuring BIND 9 for SoftHSM . 38 PKCS#11 Tools . 38 Using the HSM . 38 Specifying the engine on the command line . 40 Running named with automatic zone re-signing . 40 4.12 DLZ (Dynamically Loadable Zones) . 41 Configuring DLZ . 41 Sample DLZ Driver . 42 4.13 Dynamic Database (DynDB) . 42 v BIND 9.11.31 CONTENTS CONTENTS Configuring DynDB . 43 Sample DynDB Module . 43 4.14 Catalog Zones . 43 Principle of Operation . 44 Configuring Catalog Zones . 45 Catalog Zone Format . 45 4.15 IPv6 Support in BIND 9 . 47 Address Lookups Using AAAA Records . 47 Address-to-Name Lookups Using Nibble Format . 48 5 The BIND 9 Lightweight Resolver 49 5.1 The Lightweight Resolver Library . 49 5.2 Running a Resolver Daemon . 49 6 BIND 9 Configuration Reference 51 6.1 Configuration File Elements . 51 Address Match Lists . 54 Syntax . ..
Recommended publications
  • Increasing Automation in the Backporting of Linux Drivers Using Coccinelle
    Increasing Automation in the Backporting of Linux Drivers Using Coccinelle Luis R. Rodriguez Julia Lawall Rutgers University/SUSE Labs Sorbonne Universites/Inria/UPMC/LIP6´ [email protected] [email protected] [email protected], [email protected] Abstract—Software is continually evolving, to fix bugs and to a kernel upgrade. Upgrading a kernel may also require add new features. Industry users, however, often value stability, experience to understand what features to enable, disable, or and thus may not be able to update their code base to the tune to meet existing deployment criteria. In the worst case, latest versions. This raises the need to selectively backport new some systems may rely on components that have not yet been features to older software versions. Traditionally, backporting has merged into the mainline Linux kernel, potentially making it been done by cluttering the backported code with preprocessor impossible to upgrade the kernel without cooperation from the directives, to replace behaviors that are unsupported in an earlier version by appropriate workarounds. This approach however component vendor or a slew of partners that need to collaborate involves writing a lot of error-prone backporting code, and results on developing a new productized image for a system. As an in implementations that are hard to read and maintain. We example, development for 802.11n AR9003 chipset support consider this issue in the context of the Linux kernel, for which on the mainline ath9k device driver started on March 20, older versions are in wide use. We present a new backporting 2010 with an early version of the silicon, at which point the strategy that relies on the use of a backporting compatability most recent major release of the Linux kernel was v2.6.32.
    [Show full text]
  • Contributor's Guidelines
    Contributor’s Guidelines Release 17.11.10 Feb 27, 2020 CONTENTS 1 DPDK Coding Style1 1.1 Description.......................................1 1.2 General Guidelines..................................1 1.3 C Comment Style...................................1 1.4 C Preprocessor Directives..............................2 1.5 C Types.........................................4 1.6 C Indentation......................................7 1.7 C Function Definition, Declaration and Use.....................9 1.8 C Statement Style and Conventions......................... 11 1.9 Python Code...................................... 13 2 Design 14 2.1 Environment or Architecture-specific Sources.................... 14 2.2 Library Statistics.................................... 15 2.3 PF and VF Considerations.............................. 16 3 Managing ABI updates 18 3.1 Description....................................... 18 3.2 General Guidelines.................................. 18 3.3 What is an ABI..................................... 18 3.4 The DPDK ABI policy................................. 19 3.5 Examples of Deprecation Notices.......................... 20 3.6 Versioning Macros................................... 20 3.7 Setting a Major ABI version.............................. 21 3.8 Examples of ABI Macro use............................. 21 3.9 Running the ABI Validator............................... 25 4 DPDK Documentation Guidelines 27 4.1 Structure of the Documentation........................... 27 4.2 Role of the Documentation.............................
    [Show full text]
  • Introducting Innovations in Open Source Projects
    Introducing Innovations into Open Source Projects Dissertation zur Erlangung des Grades eines Doktors der Naturwissenschaften (Dr. rer. nat.) am Fachbereich Mathematik und Informatik der Freien Universität Berlin von Sinan Christopher Özbek Berlin August 2010 2 Gutachter: Professor Dr. Lutz Prechelt, Freie Universität Berlin Professor Kevin Crowston, Syracuse University Datum der Disputation: 17.12.2010 4 Abstract This thesis presents a qualitative study using Grounded Theory Methodology on the question of how to change development processes in Open Source projects. The mailing list communication of thirteen medium-sized Open Source projects over the year 2007 was analyzed to answer this question. It resulted in eight main concepts revolving around the introduction of innovation, i.e. new processes, services, and tools, into the projects including topics such as the migration to new systems, the question on where to host services, how radical Open Source projects can change their ways, and how compliance to processes and conventions is enforced. These are complemented with (1) the result of five case studies in which innovation introductions were conducted with Open Source projects, and with (2) a theoretical comparison of the results of this thesis to four theories and scientific perspectives from the organizational and social sciences such as Path Dependence, the Garbage Can model, Social-Network analysis, and Actor-Network theory. The results show that innovation introduction is a multifaceted phenomenon, of which this thesis discusses the most salient conceptual aspects. The thesis concludes with practical advice for innovators and specialized hints for the most popular innovations. 5 6 Acknowledgements I want to thank the following individuals for contributing to the completion of this thesis: • Lutz Prechelt for advising me over these long five years.
    [Show full text]
  • Debian Packaging Tutorial
    Debian Packaging Tutorial Lucas Nussbaum [email protected] version 0.27 – 2021-01-08 Debian Packaging Tutorial 1 / 89 About this tutorial I Goal: tell you what you really need to know about Debian packaging I Modify existing packages I Create your own packages I Interact with the Debian community I Become a Debian power-user I Covers the most important points, but is not complete I You will need to read more documentation I Most of the content also applies to Debian derivative distributions I That includes Ubuntu Debian Packaging Tutorial 2 / 89 Outline 1 Introduction 2 Creating source packages 3 Building and testing packages 4 Practical session 1: modifying the grep package 5 Advanced packaging topics 6 Maintaining packages in Debian 7 Conclusions 8 Additional practical sessions 9 Answers to practical sessions Debian Packaging Tutorial 3 / 89 Outline 1 Introduction 2 Creating source packages 3 Building and testing packages 4 Practical session 1: modifying the grep package 5 Advanced packaging topics 6 Maintaining packages in Debian 7 Conclusions 8 Additional practical sessions 9 Answers to practical sessions Debian Packaging Tutorial 4 / 89 Debian I GNU/Linux distribution I 1st major distro developed “openly in the spirit of GNU” I Non-commercial, built collaboratively by over 1,000 volunteers I 3 main features: I Quality – culture of technical excellence We release when it’s ready I Freedom – devs and users bound by the Social Contract Promoting the culture of Free Software since 1993 I Independence – no (single)
    [Show full text]
  • DNS / DNSSEC Workshop
    1/22/18 DNS / DNSSEC Workshop Hong Kong 22-24 January 2018 Issue Date: Revision: Overview • DNS Overview • BIND DNS Configuration • Recursive and Forward DNS • Reverse DNS • Troubleshooting • DNS Security Overview • DNS Transactions • DNS Security Extensions (DNSSec) • DNSSec Key Management and Automation 2 1 1/22/18 Overview • DNS Overview • BIND DNS Configuration • Recursive and Forward DNS • Reverse DNS • Troubleshooting • DNS Security Overview • DNS Transactions • DNS Security Extensions (DNSSec) • DNSSec Key Management and Automation 3 Domain Name System • A lookup mechanism for translating objects into otHer objects – Mapping names to numbers and vice versa • A globally distributed, loosely coHerent, scalable, reliable, dynamic database • Comprised of tHree components – A “name space” – Servers making tHat name space available – Resolvers (clients) query tHe servers about tHe name space • A critical piece of tHe Internet infrastructure 4 2 1/22/18 IP Addresses vs Domain Names The Internet DNS www.apnic.net202.112.0.46 2001:0400:: 2001:0C00:8888::My Computer www.apnic.net2001:0400:: 5 Old Solution: hosts.txt • A centrally-maintained file, distributed to all Hosts on tHe Internet • Issues witH Having just one file – Becomes Huge after some time – Needs frequent copying to ALL Hosts – Consistency // hosts.txt – Always out-of-date SERVER1 128.4.13.9 WEBMAIL 4.98.133.7 – Name uniqueness FTPHOST 200.10.194.33 – Single point of administration THis feature still exists: [Unix] /etc/Hosts [Windows] c:\windows\Hosts 6 3 1/22/18 DNS Features • Global distribution – SHares tHe load and administration • Loose CoHerency – GeograpHically distributed, but still coHerent • Scalability – can add DNS servers witHout affecting tHe entire DNS • Reliability • Dynamicity – Modify and update data dynamically 7 DNS Features • DNS is a client-server application • Requests and responses are normally sent in UDP packets, port 53 • Occasionally uses TCP, port 53 – for very large requests, e.g.
    [Show full text]
  • Impacting the Bioscience Progress by Backporting Software for Bio-Linux
    Impacting the bioscience progress by backporting software for Bio-Linux Sasa Paporovic [email protected] v0.9 What is Bio-Linux and what is it good for - also its drawbacks: If someone says to use or to have a Linux this is correct as like it is imprecise. It does not exist a Linux as full functional operating system by itself. What was originally meant by the term Linux was the operating system core[1]. The so called kernel, or in a case of a Linux operating system the Linux kernel. It is originally designed and programmed by Linus Torvalds, who is also today the developer in chef or to say it with his words, he is the “alpha-male” of all developers[2]. Anyway, what we have today are Distributions[3]. It has become common to call them simply “a Linux”. This means that there are organizations out there, mostly private, some funded and some other commercial, which gather all what is needed to design around the Linux kernel a full functional operating system. This targets mostly Software, but also web and service infrastructure. Some of them have a history that is nearly as long as the Linux kernel is alive, like Debian. Some others are younger like Ubuntu and some more others are very young, like Bio-Linux[4]. The last Linux, the Bio-Linux, especially its latest version Bio-Linux 7 we are focusing here[5]. In year 2006 Bio-Linux with the work of Tim Booth[42] and team gives its rising[6] and provide an operating system that was and still specialized in providing a bioinformatic specific software environment for the working needs in this corner of bioscience.
    [Show full text]
  • Oracle Unbreakable Linux: an Overview
    Oracle Unbreakable Linux: An Overview An Oracle White Paper September 2010 Oracle Unbreakable Linux: An Overview INTRODUCTION Oracle Unbreakable Linux is a support program that provides enterprises with industry-leading global support for the Linux operating system at significantly lower costs. The support program, which is available for any customer whether or not they’re running Oracle Unbreakable Linux currently includes support for three architectures: x86; x86-64 (e.g. the latest Intel Xeon and AMD Opteron chips, as used by most Linux customers); and Linux Itanium (ia64). The program offers support for any existing Red Hat Enterprise Linux installations and for new installations of Oracle Linux, an open source Linux operating system that is fully compatible— both source and binary—with Red Hat Enterprise Linux. Complete Support for the Complete Software Stack Oracle’s industry-leading support organization offers expertise that looks at the entire application stack running on top of Linux; only Oracle delivers complete support for the complete software stack—database, middleware, applications, management tools, and the operating system itself. By delivering enterprise-class quality support for Linux, Oracle addresses a key enterprise requirement from customers. When problems occur in a large, complex enterprise environment, it’s often impossible to reproduce such occurrences with very simple test cases. Customers need a support vendor who understands their full environment, and has the expertise to diagnose and resolve the problem by drawing from their knowledge of and familiarity with their framework, as opposed to requesting a simple reproducible test case. Another customer demand is for bug fixes to happen in a timely manner, as customers cannot always afford to wait for months to get a fix delivered to them.
    [Show full text]
  • Domain Name Systems-Based Electronic Mail Security
    DRAFT NIST CYBERSECURITY PRACTICE GUIDE DOMAIN NAME SYSTEMS-BASED ELECTRONIC MAIL SECURITY Scott Rose William C. Barker Santos Jha Chinedum Irrechukwu Karen Waltermire NIST SPECIAL PUBLICATION 1800-6 (INCLUDING PARTS A, B, C) ADDITIONAL CONTENT: https://nccoe.nist.gov/projects/building_blocks/ DRAFT NIST Special Publication 1800-6 NIST Cybersecurity Practice Guide DOMAIN NAME SYSTEMS- BASED ELECTRONIC MAIL SECURITY 1800-6A Scott Rose Executive Summary Information Technology Laboratory National Institute of Standards and Technology 1800-6B Approach, Architecture, and William C. Barker Security Characteristics Dakota Consulting For CIOs, CSOs, and Security Managers Silver Spring, MD 1800-6C Santos Jha How-To Guides Chinedum Irrechukwu For Security Engineers The MITRE Corporation McLean, VA Karen Waltermire National Cybersecurity Center of Excellence National Institute of Standards and Technology November 2016 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director DRAFT DISCLAIMER Certain commercial entities, equipment, products, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose. National Institute of Standards and Technology Special Publication 1800-6 Natl Inst. Stand. Technol. Spec. Publ. 1800-6, 221 pages (November 2016) CODEN: NSPUE2 Organizations are encouraged to review all draft publications during public comment periods and provide feedback. All publications from NIST’s National Cybersecurity Center of Excellence are available at http://nccoe.nist.gov.
    [Show full text]
  • BIND 9 Administrator Reference Manual
    BIND 9 Administrator Reference Manual BIND 9.11.23 (Extended Support Version) Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC") This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. Internet Systems Consortium, Inc. PO Box 360 Newmarket, NH 03857 USA https://www.isc.org/ Contents 1 Introduction 1 1.1 Scope of Document . .1 1.2 Organization of This Document . .1 1.3 Conventions Used in This Document . .1 1.4 The Domain Name System (DNS) . .2 DNS Fundamentals . .2 Domains and Domain Names . .2 Zones . .3 Authoritative Name Servers . .3 The Primary Server . .3 Secondary Servers . .4 Stealth Servers . .4 Caching Name Servers . .4 Forwarding . .5 Name Servers in Multiple Roles . .5 2 BIND Resource Requirements7 2.1 Hardware requirements . .7 2.2 CPU Requirements . .7 2.3 Memory Requirements . .7 2.4 Name Server-Intensive Environment Issues . .7 2.5 Supported Operating Systems . .8 iii BIND 9.11.23 CONTENTS CONTENTS 3 Name Server Configuration9 3.1 Sample Configurations . .9 A Caching-only Name Server . .9 An Authoritative-only Name Server . .9 3.2 Load Balancing . 10 3.3 Name Server Operations . 11 Tools for Use With the Name Server Daemon . 11 Diagnostic Tools . 11 Administrative Tools . 12 Signals . 13 4 Advanced DNS Features 15 4.1 Notify . 15 4.2 Dynamic Update . 15 The Journal File . 16 4.3 Incremental Zone Transfers (IXFR) . 16 4.4 Split DNS .
    [Show full text]
  • Domain Name Systems-Based Electronic Mail Security
    DRAFT NIST CYBERSECURITY PRACTICE GUIDE DOMAIN NAME SYSTEMS-BASED ELECTRONIC MAIL SECURITY How-To Guides For Security Engineers Scott Rose William Barker Santos Jha Chinedum Irrechukwu Karen Waltermire NIST SPECIAL PUBLICATION 1800-6C DRAFT NIST Special Publication 1800-6C NIST Cybersecurity Practice Guide DOMAIN NAME SYSTEMS- BASED ELECTRONIC MAIL SECURITY 1800-6C Scott Rose How-To Guides Information Technology Laboratory For Security Engineers National Institute of Standards and Technology William C. Barker Dakota Consulting Silver Spring, MD Santos Jha Chinedum Irrechukwu The MITRE Corporation McLean, VA Karen Waltermire National Cybersecurity Center of Excellence National Institute of Standards and Technology November 2016 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director DRAFT DISCLAIMER Certain commercial entities, equipment, products, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose. National Institute of Standards and Technology Special Publication 1800-6C Natl Inst. Stand. Technol. Spec. Publ. 1800-6C, 144 pages (November 2016) CODEN: NSPUE2 Organizations are encouraged to review all draft publications during
    [Show full text]
  • A Guide to Kernel Exploitation Attacking the Core (2011
    A Guide to Kernel Exploitation This page intentionally left blank A Guide to Kernel Exploitation Attacking the Core Enrico Perla Massimiliano Oldani Technical Editor Graham Speake AMSTERDAM • BOSTON • HEIDELBERG • LONDON • • • NEW YORK OXFORD PARIS SAN DIEGO SYNGRESS SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO ® Syngress is an imprint of Elsevier Acquiring Editor: Rachel Roumeliotis Development Editor: Matthew Cater Project Manager: Julie Ochs Designer: Alisa Andreola Syngress is an imprint of Elsevier 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA © 2011 Elsevier Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
    [Show full text]
  • Unix to Linux Migration
    UNIX TO LINUX MIGRATION RICHARD KEECH ABSTRACT This paper aims to show the benefits of choosing Linux and migrating existing UNIX environments to the Linux platform. This applies in particular to migrations from RISC-based platforms. It also shows the extent to which Linux is now a trusted, mainstream platform and how any technical risks associated with migrations can be mitigated. This paper addresses a technical audience. www.redhat.com UNIX to Linux migration | Richard Keech TABLE OF CONTENTS AIMS Page 3 INTRODUCTION TO LINUX Page 3 OpEN SOURCE AND LINUX Page 4 RED HAT ENTErprISE LINUX Page 5 UNIX VS LINUX Page 8 TrENDS Page 9 Server Virtualization Page 9 Clustering Page 10 Rapid provisioning and appliance OS Page 10 Instrumentation and debugging Page 10 MIGRATION CONSIDERATIONS Page 11 Qualify the stack Page 11 Porting Page 12 Training Page 12 Prepare a Linux standard build Page 12 Pilot deployment Page 13 CONCLUSIONS Page 13 REFERENCES Page 14 2 www.redhat.com UNIX to Linux migration | Richard Keech AIMS This paper aims to give an introduction to Linux for the technically inclined and educated reader at a level that can allow proper comparisons with UNIX. The paper provides an outline of the key considerations in selecting Linux and migrating from UNIX to Red Hat Enterprise Linux. The intended audience of this paper is enterprise infrastructure architects. INTRODUCTION TO LINUX Benefits. The Linux platform offers a low-risk, robust, and value-for-money alternative to traditional UNIX. Linux is now sufficiently mature enough to handle the most demanding workloads at a much lower cost than proprietary UNIX offerings.
    [Show full text]