BIND 9 Administrator Reference Manual Release BIND 9.16.21 (Extended Support Version)
Total Page:16
File Type:pdf, Size:1020Kb
BIND 9 Administrator Reference Manual Release BIND 9.16.21 (Extended Support Version) Internet Systems Consortium 2021-09-07 CONTENTS 1 Introduction 1 1.1 Scope of Document ............................................ 1 1.2 Organization of This Document ..................................... 1 1.3 Conventions Used in This Document ................................... 1 1.4 The Domain Name System (DNS) .................................... 2 2 BIND Resource Requirements 7 2.1 Hardware Requirements ......................................... 7 2.2 CPU Requirements ............................................ 7 2.3 Memory Requirements .......................................... 7 2.4 Name Server-Intensive Environment Issues ............................... 7 2.5 Supported Operating Systems ...................................... 8 3 Name Server Configuration 9 3.1 Sample Configurations .......................................... 9 3.2 Load Balancing .............................................. 10 3.3 Name Server Operations ......................................... 11 3.4 Plugins .................................................. 13 4 BIND 9 Configuration Reference 15 4.1 Configuration File Elements ....................................... 15 4.2 Configuration File Grammar ....................................... 18 4.3 Zone File ................................................. 101 4.4 BIND 9 Statistics ............................................. 107 5 Advanced DNS Features 113 5.1 Notify ................................................... 113 5.2 Dynamic Update ............................................. 113 5.3 Incremental Zone Transfers (IXFR) ................................... 114 5.4 Split DNS ................................................. 115 5.5 TSIG ................................................... 118 5.6 TKEY ................................................... 120 5.7 SIG(0) .................................................. 120 5.8 DNSSEC ................................................. 121 5.9 DNSSEC, Dynamic Zones, and Automatic Signing ........................... 123 5.10 Dynamic Trust Anchor Management ................................... 127 5.11 PKCS#11 (Cryptoki) Support ...................................... 129 5.12 Dynamically Loadable Zones (DLZ) ................................... 132 5.13 Dynamic Database (DynDB) ....................................... 134 5.14 Catalog Zones ............................................... 135 i 5.15 IPv6 Support in BIND 9 ......................................... 138 6 BIND 9 Security Considerations 139 6.1 Access Control Lists ........................................... 139 6.2 Chroot and Setuid .......................................... 141 6.3 Dynamic Update Security ........................................ 141 7 Troubleshooting 143 7.1 Common Problems ............................................ 143 7.2 Incrementing and Changing the Serial Number .............................. 144 7.3 Where Can I Get Help? .......................................... 144 8 Release Notes 145 8.1 Introduction ................................................ 148 8.2 Note on Version Numbering ....................................... 148 8.3 Supported Platforms ........................................... 148 8.4 Download ................................................. 148 8.5 Notes for BIND 9.16.21 ......................................... 148 8.6 Notes for BIND 9.16.20 ......................................... 149 8.7 Notes for BIND 9.16.19 ......................................... 150 8.8 Notes for BIND 9.16.18 ......................................... 150 8.9 Notes for BIND 9.16.17 ......................................... 151 8.10 Notes for BIND 9.16.16 ......................................... 151 8.11 Notes for BIND 9.16.15 ......................................... 152 8.12 Notes for BIND 9.16.14 ......................................... 153 8.13 Notes for BIND 9.16.13 ......................................... 154 8.14 Notes for BIND 9.16.12 ......................................... 155 8.15 Notes for BIND 9.16.11 ......................................... 156 8.16 Notes for BIND 9.16.10 ......................................... 157 8.17 Notes for BIND 9.16.9 .......................................... 157 8.18 Notes for BIND 9.16.8 .......................................... 158 8.19 Notes for BIND 9.16.7 .......................................... 159 8.20 Notes for BIND 9.16.6 .......................................... 159 8.21 Notes for BIND 9.16.5 .......................................... 161 8.22 Notes for BIND 9.16.4 .......................................... 161 8.23 Notes for BIND 9.16.3 .......................................... 163 8.24 Notes for BIND 9.16.2 .......................................... 164 8.25 Notes for BIND 9.16.1 .......................................... 164 8.26 Notes for BIND 9.16.0 .......................................... 165 8.27 License .................................................. 167 8.28 End of Life ................................................ 167 8.29 Thank You ................................................ 167 9 DNSSEC Guide 169 9.1 Preface .................................................. 169 9.2 Introduction ................................................ 170 9.3 Getting Started .............................................. 175 9.4 Validation ................................................. 178 9.5 Signing .................................................. 190 9.6 Basic DNSSEC Troubleshooting ..................................... 213 9.7 Advanced Discussions .......................................... 221 9.8 Recipes .................................................. 234 9.9 Commonly Asked Questions ....................................... 254 10 A Brief History of the DNS and BIND 257 ii 11 General DNS Reference Information 259 11.1 IPv6 Addresses (AAAA) ......................................... 259 11.2 Bibliography (and Suggested Reading) .................................. 259 11.3 Internet Standards ............................................ 260 11.4 Proposed Standards ............................................ 260 11.5 Informational RFCs ............................................ 262 11.6 Experimental RFCs ............................................ 263 11.7 Best Current Practice RFCs ....................................... 263 11.8 Historic RFCs .............................................. 264 11.9 RFCs of Type “Unknown” ........................................ 264 11.10 Obsoleted and Unimplemented Experimental RFCs ........................... 264 11.11 RFCs No Longer Supported in BIND 9 ................................. 265 12 Manual Pages 267 12.1 arpaname - translate IP addresses to the corresponding ARPA names .................. 267 12.2 ddns-confgen - ddns key generation tool ................................. 267 12.3 delv - DNS lookup and validation utility ................................. 268 12.4 dig - DNS lookup utility ......................................... 272 12.5 dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY ............... 279 12.6 dnssec-dsfromkey - DNSSEC DS RR generation tool .......................... 282 12.7 dnssec-importkey - import DNSKEY records from external systems so they can be managed ...... 283 12.8 dnssec-checkds - DNSSEC delegation consistency checking tool ..................... 285 12.9 dnssec-coverage - checks future DNSKEY coverage for a zone ..................... 286 12.10 dnssec-keymgr - Ensures correct DNSKEY coverage based on a defined policy ............. 288 12.11 dnssec-keyfromlabel - DNSSEC key generation tool ........................... 290 12.12 dnssec-keygen: DNSSEC key generation tool .............................. 293 12.13 dnssec-revoke - set the REVOKED bit on a DNSSEC key ........................ 297 12.14 dnssec-settime: set the key timing metadata for a DNSSEC key ..................... 298 12.15 dnssec-signzone - DNSSEC zone signing tool .............................. 301 12.16 dnssec-verify - DNSSEC zone verification tool .............................. 305 12.17 dnstap-read - print dnstap data in human-readable form ......................... 306 12.18 filter-aaaa.so - filter AAAA in DNS responses when A is present .................... 307 12.19 host - DNS lookup utility ......................................... 308 12.20 mdig - DNS pipelined lookup utility ................................... 310 12.21 named-checkconf - named configuration file syntax checking tool .................... 313 12.22 named-checkzone, named-compilezone - zone file validity checking or converting tool ......... 314 12.23 named-journalprint - print zone journal in human-readable form .................... 317 12.24 named-nzd2nzf - convert an NZD database to NZF text format ..................... 317 12.25 named-rrchecker - syntax checker for individual DNS resource records ................. 318 12.26 named.conf - configuration file for named ................................ 319 12.27 named - Internet domain name server .................................. 337 12.28 nsec3hash - generate NSEC3 hash .................................... 340 12.29 nslookup - query Internet name servers interactively ........................... 341 12.30 nsupdate - dynamic DNS update utility .................................. 343 12.31 pkcs11-keygen - generate keys on a PKCS#11 device .......................... 348 12.32 pkcs11-list - list PKCS#11 objects .................................... 349