BIND 9 Administrator Reference Manual
Total Page:16
File Type:pdf, Size:1020Kb
BIND 9 Administrator Reference Manual BIND 9.11.31 (Extended Support Version) Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC") This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. Internet Systems Consortium, Inc. PO Box 360 Newmarket, NH 03857 USA https://www.isc.org/ Contents 1 Introduction 1 1.1 Scope of Document . .1 1.2 Organization of This Document . .1 1.3 Conventions Used in This Document . .1 1.4 The Domain Name System (DNS) . .2 DNS Fundamentals . .2 Domains and Domain Names . .2 Zones . .3 Authoritative Name Servers . .3 The Primary Server . .3 Secondary Servers . .4 Stealth Servers . .4 Caching Name Servers . .4 Forwarding . .5 Name Servers in Multiple Roles . .5 2 BIND Resource Requirements7 2.1 Hardware requirements . .7 2.2 CPU Requirements . .7 2.3 Memory Requirements . .7 2.4 Name Server-Intensive Environment Issues . .7 2.5 Supported Operating Systems . .8 iii BIND 9.11.31 CONTENTS CONTENTS 3 Name Server Configuration9 3.1 Sample Configurations . .9 A Caching-only Name Server . .9 An Authoritative-only Name Server . .9 3.2 Load Balancing . 10 3.3 Name Server Operations . 11 Tools for Use With the Name Server Daemon . 11 Diagnostic Tools . 11 Administrative Tools . 12 Signals . 13 4 Advanced DNS Features 15 4.1 Notify . 15 4.2 Dynamic Update . 15 The Journal File . 16 4.3 Incremental Zone Transfers (IXFR) . 16 4.4 Split DNS . 17 Example Split DNS Setup . 17 4.5 TSIG . 20 Generating a Shared Key . 21 Loading a New Key . 21 Instructing the Server to Use a Key . 22 TSIG-Based Access Control . 22 Errors . 22 4.6 TKEY . 23 4.7 SIG(0) . 23 4.8 DNSSEC . 24 Generating Keys . 24 Signing the Zone . 24 Configuring Servers for DNSSEC . 25 4.9 DNSSEC, Dynamic Zones, and Automatic Signing . 27 Converting from insecure to secure . 27 Dynamic DNS Update Method . 28 Fully Automatic Zone Signing . 28 BIND 9.11.31 iv CONTENTS CONTENTS Private Type Records . 29 DNSKEY Rollovers . 30 Dynamic DNS Update Method . 30 Automatic Key Rollovers . 30 NSEC3PARAM Rollovers via UPDATE . 30 Converting From NSEC to NSEC3 . 31 Converting From NSEC3 to NSEC . 31 Converting From Secure to Insecure . 31 Periodic Re-signing . 31 NSEC3 and OPTOUT . 31 4.10 Dynamic Trust Anchor Management . 31 Validating Resolver . 32 Authoritative Server . 32 4.11 PKCS#11 (Cryptoki) Support . 33 Prerequisites . 33 Native PKCS#11 . 33 Building SoftHSMv2 . 34 OpenSSL-based PKCS#11 . 34 Patching OpenSSL . 35 Building OpenSSL for the AEP Keyper on Linux . 35 Building OpenSSL for the SCA 6000 on Solaris . 36 Building OpenSSL for SoftHSM . 36 Configuring BIND 9 for Linux with the AEP Keyper . 37 Configuring BIND 9 for Solaris with the SCA 6000 . 37 Configuring BIND 9 for SoftHSM . 38 PKCS#11 Tools . 38 Using the HSM . 38 Specifying the engine on the command line . 40 Running named with automatic zone re-signing . 40 4.12 DLZ (Dynamically Loadable Zones) . 41 Configuring DLZ . 41 Sample DLZ Driver . 42 4.13 Dynamic Database (DynDB) . 42 v BIND 9.11.31 CONTENTS CONTENTS Configuring DynDB . 43 Sample DynDB Module . 43 4.14 Catalog Zones . 43 Principle of Operation . 44 Configuring Catalog Zones . 45 Catalog Zone Format . 45 4.15 IPv6 Support in BIND 9 . 47 Address Lookups Using AAAA Records . 47 Address-to-Name Lookups Using Nibble Format . 48 5 The BIND 9 Lightweight Resolver 49 5.1 The Lightweight Resolver Library . 49 5.2 Running a Resolver Daemon . 49 6 BIND 9 Configuration Reference 51 6.1 Configuration File Elements . 51 Address Match Lists . 54 Syntax . ..