From owner-svn-doc-all@freebsd.org Mon May 28 23:38:41 2018 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B75CEFF285; Mon, 28 May 2018 23:38:41 +0000 (UTC) (envelope-from eadler@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CC706A6CF; Mon, 28 May 2018 23:38:41 +0000 (UTC) (envelope-from eadler@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 22CB91415A; Mon, 28 May 2018 23:38:41 +0000 (UTC) (envelope-from eadler@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w4SNce3D011904; Mon, 28 May 2018 23:38:40 GMT (envelope-from eadler@FreeBSD.org) Received: (from eadler@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w4SNceb1011903; Mon, 28 May 2018 23:38:40 GMT (envelope-from eadler@FreeBSD.org) Message-Id: <201805282338.w4SNceb1011903@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: eadler set sender to eadler@FreeBSD.org using -f From: Eitan Adler Date: Mon, 28 May 2018 23:38:40 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r51739 - head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Group: doc-head X-SVN-Commit-Author: eadler X-SVN-Commit-Paths: head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Commit-Revision: 51739 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2018 23:38:42 -0000 Author: eadler Date: Mon May 28 23:38:40 2018 New Revision: 51739 URL: https://svnweb.freebsd.org/changeset/doc/51739 Log: handbook: remove information about BIND for FreeBSD 9 and older There is no supported version of FreeBSD that still includes BIND in case. Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Mon May 28 23:24:41 2018 (r51738) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Mon May 28 23:38:40 2018 (r51739) @@ -2972,22 +2972,6 @@ dhcpd_ifaces="dc0" necessary to run a name server to perform DNS lookups on a system. - BIND - - In &os; 10, the Berkeley Internet Name Domain - (BIND) has been removed from the base system - and replaced with Unbound. Unbound as configured in the &os; - Base is a local caching resolver. BIND is - still available from The Ports Collection as dns/bind99 or dns/bind98. In &os; 9 and lower, - BIND is included in &os; Base. The &os; - version provides enhanced security features, a new file system - layout, and automated &man.chroot.8; configuration. - BIND is maintained by the Internet Systems - Consortium. - resolver reverse DNS @@ -3024,12 +3008,6 @@ dhcpd_ifaces="dc0" - named, BIND - Common names for the BIND name server package - within &os;. - - - Resolver A system process through which a machine queries a name server for zone information. @@ -3158,15 +3136,8 @@ dhcpd_ifaces="dc0" - <acronym>DNS</acronym> Server Configuration in &os; 10.0 - and Later + <acronym>DNS</acronym> Server Configuration - In &os; 10.0, BIND has been - replaced with Unbound. - Unbound is a validating caching - resolver only. If an authoritative server is needed, many are - available from the Ports Collection. - Unbound is provided in the &os; base system. By default, it will provide DNS resolution to the local machine only. @@ -3229,1232 +3200,6 @@ freebsd.org. (A) |---. (DNSKEY keytag: 40926 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful - - - - DNS Server Configuration in &os; - 9.<replaceable>X</replaceable> - - - This chapter is only applicable to &os; 9 and before. - BIND9 is no longer part of the - base system in &os; 10 and after, where it has been replaced - with unbound. - - - In &os;, the BIND daemon is called - named. - - - - - - File - Description - - - - - - &man.named.8; - The BIND daemon. - - - - &man.rndc.8; - Name server control utility. - - - - /etc/namedb - Directory where BIND zone information - resides. - - - - /etc/namedb/named.conf - Configuration file of the daemon. - - - - - - Depending on how a given zone is configured on the server, - the files related to that zone can be found in the - master, - slave, or - dynamic subdirectories - of the /etc/namedb - directory. These files contain the DNS - information that will be given out by the name server in - response to queries. - - - Starting BIND - - - BIND - starting - - - Since BIND is installed by default, configuring it is - relatively simple. - - The default named - configuration is that of a basic resolving name server, - running in a &man.chroot.8; environment, and restricted to - listening on the local IPv4 loopback address (127.0.0.1). - To start the server one time with this configuration, use - the following command: - - &prompt.root; service named onestart - - To ensure the named daemon is - started at boot each time, put the following line into the - /etc/rc.conf: - - named_enable="YES" - - There are many configuration options for - /etc/namedb/named.conf that are beyond - the scope of this document. Other startup options for - named on &os; can be found in the - named_* flags - in /etc/defaults/rc.conf and in - &man.rc.conf.5;. The - section is also a good read. - - - - Configuration Files - - - BIND - configuration files - - - Configuration files for named - currently reside in /etc/namedb - directory and will need modification before use unless all - that is needed is a simple resolver. This is where most of - the configuration will be performed. - - - <filename>/etc/namedb/named.conf</filename> - - // $FreeBSD$ -// -// Refer to the named.conf(5) and named(8) man pages, and the documentation -// in /usr/share/doc/bind9 for more details. -// -// If you are going to set up an authoritative server, make sure you -// understand the hairy details of how DNS works. Even with -// simple mistakes, you can break connectivity for affected parties, -// or cause huge amounts of useless Internet traffic. - -options { - // All file and path names are relative to the chroot directory, - // if any, and should be fully qualified. - directory "/etc/namedb/working"; - pid-file "/var/run/named/pid"; - dump-file "/var/dump/named_dump.db"; - statistics-file "/var/stats/named.stats"; - -// If named is being used only as a local resolver, this is a safe default. -// For named to be accessible to the network, comment this option, specify -// the proper IP address, or delete this option. - listen-on { 127.0.0.1; }; - -// If you have IPv6 enabled on this system, uncomment this option for -// use as a local resolver. To give access to the network, specify -// an IPv6 address, or the keyword "any". -// listen-on-v6 { ::1; }; - -// These zones are already covered by the empty zones listed below. -// If you remove the related empty zones below, comment these lines out. - disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; - disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; - disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; - -// If you have a DNS server around at your upstream provider, enter -// its IP address here, and enable the line below. This will make you -// benefit from its cache, thus reduce overall DNS traffic in the Internet. -/* - forwarders { - 127.0.0.1; - }; -*/ - -// If the 'forwarders' clause is not empty the default is to 'forward first' -// which will fall back to sending a query from your local server if the name -// servers in 'forwarders' do not have the answer. Alternatively you can -// force your name server to never initiate queries of its own by enabling the -// following line: -// forward only; - -// If you wish to have forwarding configured automatically based on -// the entries in /etc/resolv.conf, uncomment the following line and -// set named_auto_forward=yes in /etc/rc.conf. You can also enable -// named_auto_forward_only (the effect of which is described above). -// include "/etc/namedb/auto_forward.conf"; - - Just as the comment says, to benefit from an uplink's - cache, forwarders can be enabled here. - Under normal circumstances, a name server will recursively - query the Internet looking at certain name servers until - it finds the answer it is looking for. Having this - enabled will have it query the uplink's name server (or - name server provided) first, taking advantage of its - cache. If the uplink name server in question is a heavily - trafficked, fast name server, enabling this may be - worthwhile. - - - 127.0.0.1 - will not work here. Change this - IP address to a name server at the - uplink. - - - /* - Modern versions of BIND use a random UDP port for each outgoing - query by default in order to dramatically reduce the possibility - of cache poisoning. All users are strongly encouraged to utilize - this feature, and to configure their firewalls to accommodate it. - - AS A LAST RESORT in order to get around a restrictive firewall - policy you can try enabling the option below. Use of this option - will significantly reduce your ability to withstand cache poisoning - attacks, and should be avoided if at all possible. - - Replace NNNNN in the example with a number between 49160 and 65530. - */ - // query-source address * port NNNNN; -}; - -// If you enable a local name server, do not forget to enter 127.0.0.1 -// first in your /etc/resolv.conf so this server will be queried. -// Also, make sure to enable it in /etc/rc.conf. - -// The traditional root hints mechanism. Use this, OR the slave zones below. -zone "." { type hint; file "/etc/namedb/named.root"; }; - -/* Slaving the following zones from the root name servers has some - significant advantages: - 1. Faster local resolution for your users - 2. No spurious traffic will be sent from your network to the roots - 3. Greater resilience to any potential root server failure/DDoS - - On the other hand, this method requires more monitoring than the - hints file to be sure that an unexpected failure mode has not - incapacitated your server. Name servers that are serving a lot - of clients will benefit more from this approach than individual - hosts. Use with caution. - - To use this mechanism, uncomment the entries below, and comment - the hint zone above. - - As documented at http://dns.icann.org/services/axfr/ these zones: - "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET - are available for AXFR from these servers on IPv4 and IPv6: - xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org -*/ -/* -zone "." { - type slave; - file "/etc/namedb/slave/root.slave"; - masters { - 192.5.5.241; // F.ROOT-SERVERS.NET. - }; - notify no; -}; -zone "arpa" { - type slave; - file "/etc/namedb/slave/arpa.slave"; - masters { - 192.5.5.241; // F.ROOT-SERVERS.NET. - }; - notify no; -}; -*/ - -/* Serving the following zones locally will prevent any queries - for these zones leaving your network and going to the root - name servers. This has two significant advantages: - 1. Faster local resolution for your users - 2. No spurious traffic will be sent from your network to the roots -*/ -// RFCs 1912 and 5735 (and BCP 32 for localhost) -zone "localhost" { type master; file "/etc/namedb/master/localhost-forward.db"; }; -zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; -zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// RFC 1912-style zone for IPv6 localhost address -zone "0.ip6.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; - -// "This" Network (RFCs 1912 and 5735) -zone "0.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// Private Use Networks (RFCs 1918 and 5735) -zone "10.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// Link-local/APIPA (RFCs 3927 and 5735) -zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IETF protocol assignments (RFCs 5735 and 5736) -zone "0.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// TEST-NET-[1-3] for Documentation (RFCs 5735 and 5737) -zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IPv6 Range for Documentation (RFC 3849) -zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// Domain Names for Documentation and Testing (BCP 32) -zone "test" { type master; file "/etc/namedb/master/empty.db"; }; -zone "example" { type master; file "/etc/namedb/master/empty.db"; }; -zone "invalid" { type master; file "/etc/namedb/master/empty.db"; }; -zone "example.com" { type master; file "/etc/namedb/master/empty.db"; }; -zone "example.net" { type master; file "/etc/namedb/master/empty.db"; }; -zone "example.org" { type master; file "/etc/namedb/master/empty.db"; }; - -// Router Benchmark Testing (RFCs 2544 and 5735) -zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IANA Reserved - Old Class E Space (RFC 5735) -zone "240.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "241.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "242.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "243.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "244.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "245.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "246.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "247.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "248.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "249.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "250.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "251.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "252.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "253.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "254.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IPv6 Unassigned Addresses (RFC 4291) -zone "1.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "3.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "4.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "5.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "6.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "7.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "8.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "9.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "a.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "b.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "c.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "d.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "e.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "0.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "1.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "2.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "3.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "4.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "5.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "6.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "7.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "8.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "9.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "a.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "b.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "0.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "1.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "2.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "3.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "4.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "5.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "6.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "7.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IPv6 ULA (RFC 4193) -zone "c.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "d.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IPv6 Link Local (RFC 4291) -zone "8.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "9.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "a.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "b.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IPv6 Deprecated Site-Local Addresses (RFC 3879) -zone "c.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "d.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "e.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "f.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IP6.INT is Deprecated (RFC 4159) -zone "ip6.int" { type master; file "/etc/namedb/master/empty.db"; }; - -// NB: Do not use the IP addresses below, they are faked, and only -// serve demonstration/documentation purposes! -// -// Example slave zone config entries. It can be convenient to become -// a slave at least for the zone your own domain is in. Ask -// your network administrator for the IP address of the responsible -// master name server. -// -// Do not forget to include the reverse lookup zone! -// This is named after the first bytes of the IP address, in reverse -// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. -// -// Before starting to set up a master zone, make sure you fully -// understand how DNS and BIND work. There are sometimes -// non-obvious pitfalls. Setting up a slave zone is usually simpler. -// -// NB: Do not blindly enable the examples below. :-) Use actual names -// and addresses instead. - -/* An example dynamic zone -key "exampleorgkey" { - algorithm hmac-md5; - secret "sf87HJqjkqh8ac87a02lla=="; -}; -zone "example.org" { - type master; - allow-update { - key "exampleorgkey"; - }; - file "/etc/namedb/dynamic/example.org"; -}; -*/ - -/* Example of a slave reverse zone -zone "1.168.192.in-addr.arpa" { - type slave; - file "/etc/namedb/slave/1.168.192.in-addr.arpa"; - masters { - 192.168.1.1; - }; -}; -*/ - - In named.conf, these are examples - of slave entries for a forward and reverse zone. - - For each new zone served, a new zone entry must be - added to named.conf. - - For example, the simplest zone entry for - example.org - can look like: - - zone "example.org" { - type master; - file "master/example.org"; -}; - - The zone is a master, as indicated by the - statement, holding its zone - information in - /etc/namedb/master/example.org - indicated by the statement. - - zone "example.org" { - type slave; - file "slave/example.org"; -}; - - In the slave case, the zone information is transferred - from the master name server for the particular zone, and - saved in the file specified. If and when the master - server dies or is unreachable, the slave name server will - have the transferred zone information and will be able to - serve it. - - - - Zone Files - - - BIND - zone files - - - An example master zone file for - example.org - (existing within - /etc/namedb/master/example.org) is as - follows: - - $TTL 3600 ; 1 hour default TTL -example.org. IN SOA ns1.example.org. admin.example.org. ( - 2006051501 ; Serial - 10800 ; Refresh - 3600 ; Retry - 604800 ; Expire - 300 ; Negative Response TTL - ) - -; DNS Servers - IN NS ns1.example.org. - IN NS ns2.example.org. - -; MX Records - IN MX 10 mx.example.org. - IN MX 20 mail.example.org. - - IN A 192.168.1.1 - -; Machine Names -localhost IN A 127.0.0.1 -ns1 IN A 192.168.1.2 -ns2 IN A 192.168.1.3 -mx IN A 192.168.1.4 -mail IN A 192.168.1.5 - -; Aliases -www IN CNAME example.org. - - Note that every hostname ending in a . - is an exact hostname, whereas everything without a - trailing . is relative to the origin. For - example, ns1 is translated into - ns1.example.org. - - The format of a zone file follows: - - recordname IN recordtype value - - - DNS - records - - - The most commonly used DNS - records: - - - - SOA - - - start of zone authority - - - - - NS - - - an authoritative name server - - - - - A - - - a host address - - - - - CNAME - - - the canonical name for an alias - - - - - MX - - - mail exchanger - - - - - PTR - - - a domain name pointer (used in reverse - DNS) - - - - - example.org. IN SOA ns1.example.org. admin.example.org. ( - 2006051501 ; Serial - 10800 ; Refresh after 3 hours - 3600 ; Retry after 1 hour - 604800 ; Expire after 1 week - 300 ) ; Negative Response TTL - - - - example.org. - - - the domain name, also the origin for this - zone file. - - - - - ns1.example.org. - - - the primary/authoritative name server for this - zone. - - - - - admin.example.org. - - - the responsible person for this zone, - email address with @ - replaced. (admin@example.org becomes - admin.example.org) - - - - - 2006051501 - - - the serial number of the file. This must be - incremented each time the zone file is modified. - Nowadays, many admins prefer a - yyyymmddrr format for the serial - number. 2006051501 would mean - last modified 05/15/2006, the latter - 01 being the first time the zone - file has been modified this day. The serial number - is important as it alerts slave name servers for a - zone when it is updated. - - - - - IN NS ns1.example.org. - - This is an NS entry. Every name server that is going - to reply authoritatively for the zone must have one of - these entries. - - localhost IN A 127.0.0.1 -ns1 IN A 192.168.1.2 -ns2 IN A 192.168.1.3 -mx IN A 192.168.1.4 -mail IN A 192.168.1.5 - - The A record indicates machine names. As seen above, - ns1.example.org would - resolve to 192.168.1.2. - - IN A 192.168.1.1 - - This line assigns IP address - 192.168.1.1 to - the current origin, in this case example.org. - - www IN CNAME @ - - The canonical name record is usually used for giving - aliases to a machine. In the example, - www is aliased to the - master machine whose name happens to be the - same as the domain name - example.org - (192.168.1.1). - CNAMEs can never be used together with another kind of - record for the same hostname. - - - MX record - - - IN MX 10 mail.example.org. - - The MX record indicates which mail servers are - responsible for handling incoming mail for the zone. - mail.example.org is - the hostname of a mail server, and 10 is the priority of - that mail server. - - One can have several mail servers, with priorities of - 10, 20 and so on. A mail server attempting to deliver to - example.org - would first try the highest priority MX (the record with - the lowest priority number), then the second highest, etc, - until the mail can be properly delivered. - - For in-addr.arpa zone files (reverse - DNS), the same format is used, except - with PTR entries instead of A or CNAME. - - $TTL 3600 - -1.168.192.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. ( - 2006051501 ; Serial - 10800 ; Refresh - 3600 ; Retry - 604800 ; Expire - 300 ) ; Negative Response TTL - - IN NS ns1.example.org. - IN NS ns2.example.org. - -1 IN PTR example.org. -2 IN PTR ns1.example.org. -3 IN PTR ns2.example.org. -4 IN PTR mx.example.org. -5 IN PTR mail.example.org. - - This file gives the proper IP - address to hostname mappings for the above fictitious - domain. - - It is worth noting that all names on the right side - of a PTR record need to be fully qualified (i.e., end in - a .). - - - - - Caching Name Server - - - BIND - caching name server - - - A caching name server is a name server whose primary - role is to resolve recursive queries. It simply asks - queries of its own, and remembers the answers for later - use. - - - - <acronym role="Domain Name Security - Extensions">DNSSEC</acronym> - - - BIND - DNS security - extensions - - - Domain Name System Security Extensions, or DNSSEC - for short, is a suite of specifications to protect resolving - name servers from forged DNS data, such - as spoofed DNS records. By using digital - signatures, a resolver can verify the integrity of the - record. Note that DNSSEC only provides integrity via - digitally signing the Resource Records (RRs). It provides - neither confidentiality nor protection against false - end-user assumptions. This means that it cannot protect - against people going to - example.net - instead of - example.com. - The only thing DNSSEC does is - authenticate that the data has not been compromised in - transit. The security of DNS is an - important step in securing the Internet in general. For - more in-depth details of how DNSSEC - works, the relevant RFCs are a good place - to start. See the list in - . - - The following sections will demonstrate how to enable - DNSSEC for an authoritative - DNS server and a recursive (or caching) - DNS server running - BIND 9. While all versions of - BIND 9 support DNSSEC, - it is necessary to have at least version 9.6.2 in order to - be able to use the signed root zone when validating - DNS queries. This is because earlier - versions lack the required algorithms to enable validation - using the root zone key. It is strongly recommended to use - the latest version of BIND 9.7 or later - to take advantage of automatic key updating for the root - key, as well as other features to automatically keep zones - signed and signatures up to date. Where configurations - differ between 9.6.2 and 9.7 and later, differences will be - pointed out. - - - Recursive <acronym>DNS</acronym> Server - Configuration - - Enabling DNSSEC validation of - queries performed by a recursive DNS - server requires a few changes to - named.conf. Before making these - changes the root zone key, or trust anchor, must be - acquired. Currently the root zone key is not available in - a file format BIND understands, so it - has to be manually converted into the proper format. The - key itself can be obtained by querying the root zone for - it using dig. By - running - - &prompt.user; dig +multi +noall +answer DNSKEY . > root.dnskey - - the key will end up in - root.dnskey. The contents should - look something like this: - - . 93910 IN DNSKEY 257 3 8 ( - AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ - bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh - /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA - JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp - oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 - LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO - Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc - LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= - ) ; key id = 19036 -. 93910 IN DNSKEY 256 3 8 ( - AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf - UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE - g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V - EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt -) ; key id = 34525 - - Do not be alarmed if the obtained keys differ from - this example. They might have changed since these - instructions were last updated. This output actually - contains two keys. The first key in the listing, with the - value 257 after the DNSKEY record type, is the one needed. - This value indicates that this is a Secure Entry Point - (SEP), - commonly known as a Key Signing Key - (KSK). The - second key, with value 256, is a subordinate key, commonly - called a Zone Signing Key - (ZSK). More on - the different key types later in - . - - Now the key must be verified and formatted so that - BIND can use it. To verify the key, - generate a DS - RR set. Create - a file containing these - RRs with - - &prompt.user; dnssec-dsfromkey -f root.dnskey . > root.ds - - These records use SHA-1 and SHA-256 respectively, and - should look similar to the following example, where the - longer is using SHA-256. - - . IN DS 19036 8 1 - B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E -. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - - The SHA-256 RR can now be compared - to the digest in https://data.iana.org/root-anchors/root-anchors.xml. - To be absolutely sure that the key has not been tampered - with the data in the XML file should be - verified using a proper PGP signature. - - - Next, the key must be formatted properly. This - differs a little between BIND versions - 9.6.2 and 9.7 and later. In version 9.7 support was added - to automatically track changes to the key and update it as - necessary. This is done using - managed-keys as seen in the example - below. When using the older version, the key is added - using a trusted-keys statement and - updates must be done manually. For - BIND 9.6.2 the format should look - like: - - trusted-keys { - "." 257 3 8 - "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq - QxA+Uk1ihz0="; -}; - - For 9.7 the format will instead be: - - managed-keys { - "." initial-key 257 3 8 - "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq - QxA+Uk1ihz0="; -}; - - The root key can now be added to - named.conf either directly or by - including a file containing the key. After these steps, - configure BIND to do - DNSSEC validation on queries by editing - named.conf and adding the following - to the options directive: - - dnssec-enable yes; -dnssec-validation yes; - - To verify that it is actually working use - dig to make a query for a - signed zone using the resolver just configured. A - successful reply will contain the AD - flag to indicate the data was authenticated. Running a - query such as - - &prompt.user; dig @resolver +dnssec se ds - - should return the DS - RR for the .se zone. - In the flags: section the - AD flag should be set, as seen - in: - - ... -;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 -... - - The resolver is now capable of authenticating - DNS queries. - - - - Authoritative <acronym>DNS</acronym> Server - Configuration - - In order to get an authoritative name server to serve - a DNSSEC signed zone a little more work - is required. A zone is signed using cryptographic keys *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***