Table of Contents for
TCP/IP Network Administration, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition TCP/IP Network Administration, 3rd Edition by Craig Hunt Published by O'Reilly Media, Inc., 2002
  1. Cover
  2. TCP/IP Network Administration, 3rd Edition
  3. Dedication
  4. Preface
  5. 1. Overview of TCP/IP
  6. 2. Delivering the Data
  7. 3. Network Services
  8. 4. Getting Started
  9. 5. Basic Configuration
  10. 6. Configuring the Interface
  11. 7. Configuring Routing
  12. 8. Configuring DNS
  13. 9. Local Network Services
  14. 10. sendmail
  15. 11. Configuring Apache
  16. 12. Network Security
  17. 13. Troubleshooting TCP/IP
  18. A. PPP Tools
  19. B. A gated Reference
  20. C. A named Reference
  21. D. A dhcpd Reference
  22. E. A sendmail Reference
  23. F. Solaris httpd.conf File
  24. G. RFC Excerpts
  25. Index
  26. Index
  27. Index
  28. Index
  29. Index
  30. Index
  31. Index
  32. Index
  33. Index
  34. Index
  35. Index
  36. Index
  37. Index
  38. Index
  39. Index
  40. Index
  41. Index
  42. Index
  43. Index
  44. Index
  45. Index
  46. Index
  47. Index
  48. Index
  49. Index
  50. Index
  51. Index
  52. About the Author
  53. Colophon
  54. Copyright

Appendix C. A named Reference

This appendix provides detailed information about named syntax and the commands and files used to configure it. This is primarily a reference to use in conjunction with the tutorial information in Chapter 8. This information is useful to any domain administrator.

The named Command

The server side of DNS is run by the name server daemon, named. The syntax of the named command is:[157]

named [-d level] [-p port] [[-b|c] configfile] [-q -r -f -v] [-u username] 
[-g groupname] [-t path] [-w path] [configfile]

The options used on the named command line are:

-d level

Logs debugging information in the file named.run. The argument level is a number from 1 to 11. A higher level number increases the detail of the information logged, but even when level is set to 1, the named.run file grows very rapidly. Whenever you use debugging, keep an eye on the size of the named.run file and use ndc notrace or SIGUSR2 to close the file if it gets too large. Signal handling is covered in the next section.

It is not necessary to turn on debugging with the -d option to receive error messages from named. named displays error messages on the console and stores them in the messages, even if debugging is not specified. The -d option provides additional debugging information.

-p port

Defines the UDP/TCP port used by named. port is the port number used to connect to the remote name server. If the -p option is not specified, the standard port (53) is used. Since port 53 is a well-known port, changing the port number makes the name server inaccessible to standard software packages. Therefore, -p is used only for testing.

-b configfile or -c configfile

Specifies the file named uses as its configuration file. By default the configuration file is /etc/named.conf, but the -b or -c option allows the administrator to choose another configuration file. Note that using -b or -c is optional. As long as the filename used for configfile doesn’t start with a dash, the -b or -c flag is not required. Any filename written on the named command line is assumed to be the configuration file, as the last item on the command line shows.

-q

Logs all incoming queries. named must be compiled with the QRYLOG option set to enable this type of logging.

-r

Turns off recursion. With this option set, the server will provide answers only for zones for which it is an authoritative server. It will not pursue the query through other servers or zones.

-f

Runs named in the foreground. Normally named is run as a background daemon.

-v

Displays the version number. The -v switch does not run named.

-u username

Sets the user ID under which the server runs after initializing. By default, named runs as root.

-g groupname

Set the group ID under which named runs after initializing. The group ID defaults to the master group of the user ID under which named is run.

-t path

Defines the path to the directory named uses when running chroot.

-w path

Defines the path of named’s working directory. The default is the current directory. The directory option in the configuration file overrides this setting.

Signal Processing

named handles the following signals:

SIGHUP

Causes named to reread the named.conf file and reload the name server database. named then continues to run with the new configuration. If named is compiled with the FORCED_RELOAD option, this signal forces a slave server to transfer the zone from its master server. This signal has the same effect as ndc reload.

SIGINT

Causes named to dump its cache to named_dump.db. The dump file contains all of the domain information that the local name server knows. The file begins with the root servers and marks off every domain under the root that the local server knows anything about. If you examine this file, you’ll see that it shows a complete picture of the information the server has learned. This signal has the same effect as ndc dumpdb.

SIGUSR1

Turns on debugging; each subsequent SIGUSR1 signal increases the level of debugging. Debugging information is written to named.run just as it is when the -d option is used on the named command line. Debugging does not have to be enabled with the -d option for the SIGUSR1 signal to work. SIGUSR1 allows debugging to be turned on when a problem is suspected, without stopping named and restarting it with the -d option. This signal has the same effect as ndc trace.

SIGUSR2

Turns off debugging and closes named.run. After issuing SIGUSR2, you can examine named.run or remove it if it is getting too large. This signal has the same effect as ndc notrace.

Optionally, some other signals can be handled by named. These additional signals require named to be compiled with the appropriate options to support the signals:

SIGILL

Writes statistics data to named.stats. named must be compiled with -DSTATS for this signal to work.

SIGSYS

Writes profiling data into the directory defined by the directory option in the named.conf file. named must be compiled with profiling to support this signal.

SIGTERM

Writes back the master and slave database files. This is used to save data modified by dynamic updates before the system is shut down. named must be compiled with dynamic updating enabled.

SIGWINCH

Toggles logging of all incoming queries via syslogd. named must be compiled with the QRYLOG option to support this. This signal has the same effect as ndc querylog.

named.conf Configuration Commands

The named.conf file defines the name server configuration and tells named where to obtain the name server database information. BIND 8 uses the following configuration commands: key, acl, options, logging, zone, server, controls, and trusted-keys. BIND 9 uses the same eight commands and adds the view command.

In addition to these configuration commands, both BIND 8 and BIND 9 provide an include statement used to load an external file that contains any of the configuration commands. For example:

include /var/named/keys

copies the file /var/named/keys, which might be a file containing key and trusted-key commands into the named.conf file.

The key Statement

The key statement assigns an internal name used to reference an authentication method. key statements usually occur near the start of the configuration because forward references are not allowed. The syntax of the key statement for both BIND 8 and BIND 9 is:

key key_id {
  algorithm algorithm_id;
  secret secret_string;
};
key_id

The name assigned to the authentication method.

algorithm_id

The authentication algorithm used.

secret_string

A base64-encoded key used by the algorithm.

The acl Statement

The acl command assigns a name to an address match list so that it can be referenced later in the configuration. Forward references are not allowed. The syntax of the acl command for both BIND 8 and BIND 9 is:

acl name {
   address_match_list
};
name

An internal name for the list. There are four predefined names:

any

Match every possible address.

none

Match no address.

localhost

Match every address assigned to the local host.

localnet

Match every address where the network portion is the same as the network portion of any address assigned to the local hosts.

address_match_list

A list of IP addresses written in dotted decimal notation with an optional address mask prefix. An exclamation point (!) before an address means “don’t match” the value. An address_match_list can also contain the name of a previously defined access control list, including the four predefined names.

The trusted-keys Statement

The trusted-keys statement manually defines the public key for a remote domain when that key cannot be securely obtained from the network. The BIND 8 and BIND 9 syntax for the trusted-keys statement is:

trusted-keys {
   domain_name flags protocol algorithm key; [...]
};
domain_name

The name of the remote domain.

flags, protocol, algorithm

Attributes of the authentication method used by the remote domain.

key

A base64-encoded string representing the remote domain’s public key.

The server Statement

The server statement defines the characteristics of a remote server. The BIND 8 syntax is:

server address {
  [ bogus yes|no; ]
  [ support-ixfr yes|no; ]
  [ transfers number; ]
  [ transfer-format one-answer|many-answers; ]
  [ keys { key_id [key_id ... ] }; ]
};

The server statement applies to the remote server identified by address.

transfer-format

Sets the format used for zone transfers with this server to either the more efficient many-answers format or the backward-compatible one-answer format.

bogus yes

Prevents the local server from sending queries to this server. The default is no, which permits queries to the remote server.

support-ixfr yes

Indicates that the remote server can support incremental transfers. no, which is the default, says that the remote server cannot perform incremental transfers.

transfers

Defines the maximum number of concurrent inbound transfers permitted from this server.

keys

Identifies the key required by the remote host for transaction security.

The BIND 9 server statement

The BIND 9 server statement syntax varies slightly. It is:

server address {
  [ bogus yes|no; ]
  [ provide-ixfr yes|no; ]
  [ request-ixfr yes|no; ]
  [ transfers number; ]
  [ transfer-format one-answer|many-answers; ]
  [ keys { key_id [key_id ... ] }; ]
};

All of the fields are the same as BIND 8, with the exception that support-ixfr has been replaced by two options:

provide-ixfr

Indicates that the local server will provide incremental zone transfers to the remote server.

request-ixfr

Indicates that the local server will request incremental zone transfers from the remote server.

The options Statement

The options statement defines global options for BIND and the DNS protocol. The BIND 8 syntax of the options command is:

options {
  [ version string; ]
  [ directory pathname; ]
  [ named-xfer pathname; ]
  [ dump-file pathname; ]
  [ memstatistics-file pathname; ]
  [ pid-file pathname; ]
  [ statistics-file pathname; ]
  [ auth-nxdomain yes|no; ]
  [ deallocate-on-exit yes|no; ]
  [ dialup yes|no; ]
  [ fake-iquery yes|no; ]
  [ fetch-glue yes|no; ]
  [ has-old-clients yes|no; ]
  [ host-statistics yes|no; ]
  [ multiple-cnames yes|no; ]
  [ notify yes|no; ]
  [ recursion yes|no; ]
  [ rfc2308-type1 yes|no; ]
  [ use-id-pool yes|no; ]
  [ treat-cr-as-space yes|no; ]
  [ also-notify { address-list; };
  [ forward only|first; ]
  [ forwarders { address-list; }; ]
  [ check-names master|slave|response  warn|fail|ignore; ]
  [ allow-query { address_match_list }; ]
  [ allow-transfer { address_match_list }; ]
  [ allow-recursion { address_match_list }; ]
  [ blackhole { address_match_list }; ]
  [ listen-on [ port ip_port ] { address_match_list }; ]
  [ query-source [address ip_addr|*] [port ip_port|*] ; ]
  [ lame-ttl number; ]
  [ max-transfer-time-in number; ]
  [ max-ncache-ttl number; ]
  [ min-roots number; ]
  [ serial-queries number; ]
  [ transfer-format one-answer|many-answers; ]
  [ transfers-in  number; ]
  [ transfers-out number; ]
  [ transfers-per-ns number; ]
  [ transfer-source ip_addr; ]
  [ maintain-ixfr-base yes|no; ]
  [ max-ixfr-log-size number; ]
  [ coresize size; ]
  [ datasize size; ]
  [ files size; ]
  [ stacksize size; ]
  [ cleaning-interval number; ]
  [ heartbeat-interval number; ]
  [ interface-interval number; ]
  [ statistics-interval number; ]
  [ topology { address_match_list }; ]
  [ sortlist { address_match_list }; ]
  [ rrset-order { order_spec ; [ order_spec ; ... ] ] };
};

There are almost a dozen different types of values for these options. Two options, check-names and transfer-format, accept keyword values. Boolean options accept either yes or no. All other options expect an appropriate value in a specific format. Some formats (string, number, pathname, domain, type, class, ip_port, and ip_addr) are self-explanatory. Some formats require a little explanation:.

address-list

A list of IP addresses separated by semicolons. This is more limited than an address_match_list.

address_match_list

A list of addresses, acl names, and key_ids.

order_spec

A multi-part rule that defines how resource records are ordered when multiple records are sent in response to a single query. The structure of an order_spec is:

[ class class ][ type type ][ name "domain" ] order order

class, type and domain are self-explanatory. order is one of three possible values:

fixed

The order in which records are defined in the zone file is maintained.

random

Resource records are shuffled into a random order.

cyclic

The resource records are rotated in a round-robin manner, which is the default order.

The BIND 8 options are:

version

The string returned when the server is queried for its version.

directory

The path of the working directory from which the server reads and writes files.

named-xfer

The path to the named-xfer program.

dump-file

The file where the database is dumped if named receives a SIGINT signal. The default filename is named_dump.db.

memstatistics-file

The file where memory usage statistics are written. The default filename is named.memstats.

pid-file

The file where the process ID is stored.

statistics-file

The file where statistics are written when named receives a SIGILL signal. The default filename is named.stats.

auth-nxdomain

yes, which is the default, causes the server to respond as an authoritative server.

deallocate-on-exit

yes writes memory usage to the named.memstats file. The default is no.

dialup

yes optimizes the server for a dial-up network operation. The default is no.

fake-iquery

yes makes the server issue a fake reply instead of an error in response to inverse queries. The default is no.

fetch-glue

yes, which is the default, retrieves all of the glue records for a response.

has-old-clients

yes sets auth-nxdomain and maintain-ixfr-base to yes and rfc2308-type1 to no.

host-statistics

yes keeps statistics on every host. The default is no.

multiple-cnames

yes permits multiple CNAME records for a domain name. The default is no.

notify

yes, which is the default, sends DNS NOTIFY messages when a zone is updated.

recursion

yes, the default, recursively seeks answers to queries.

rfc2308-type1

yes returns NS records with the SOA record for negative caching. no, the default, returns only the SOA record for compatibility with old servers.

use-id-pool

yes tracks outstanding query IDs to increase randomness. no is the default.

treat-cr-as-space

yes treats carriage returns as spaces when loading a zone file. no is the default.

also-notify

Identifies unofficial name servers to which the server should send DNS NOTIFY messages.

forward

first causes the server to first query the forwarders and then look for the answer itself. only causes the server to query only the forwarders.

forwarders

Lists the IP addresses of the servers to which queries are forwarded. The default is not to use forwarding.

check-names

Checks hostnames for compliance with the RFC specifications. Names can be checked when the master server loads the zone (master), when the slave transfers the zone (slave), or when a response is processed (response). If an error is detected, it can be ignored (ignore), a warning can be sent (warn), or the bad name can be rejected (fail).

allow-query

Only queries from hosts in the address list will be accepted. The default is to accept queries from all hosts.

allow-transfer

Only hosts in the address list are allowed to receive zone transfers. The default is to allow transfers to all hosts.

allow-recursion

Only listed hosts are allowed to make recursive queries through this server. The default is to do recursive queries for all hosts.

blackhole

Lists hosts from which this server will not accept queries.

listen-on

Defines the interfaces and ports on which the server provides name service. By default, the server listens to the standard port (53) on all installed interfaces.

query-source

Defines the address and port used to query other servers.

lame-ttl

The amount of time a lame server indication will be cached. The default is 10 minutes.

max-transfer-time-in

The maximum amount of time the server waits for an inbound transfer to complete. The default is 120 minutes (2 hours).

max-ncache-ttl

The amount of time this server will cache negative answers. The default is 3 hours and the maximum acceptable value is 7 days.

min-roots

The minimum number of root servers that must be reachable for queries involving the root servers to be accepted. The default is 2.

serial-queries

The number of outstanding SOA queries a slave server can have at one time. The default is 4.

transfer-format

one-answer transfers one resource record per message. many-answers transfers as many resource records as possible in each message.

transfers-in

Sets the maximum number of concurrent inbound zone transfers. The default value is 10.

transfers-out

Lists the number of concurrent outbound zone transfers.

transfers-per-ns

Limits the number of concurrent inbound zone transfers from any one name server. The default value is 2.

transfer-source

The IP address of the network interface this server uses to transfer zones from remote masters.

maintain-ixfr-base

yes keeps a log of incremental zone transfers. no is the default.

max-ixfr-log-size

Sets the maximum size of the incremental zone transfer log file.

coresize

Sets the maximum size of a core dump file.

datasize

Limits the amount of data memory the server may use.

files

Limits the number of files the server may have open concurrently. The default is unlimited.

stacksize

Limits amount of stack memory the server may use.

cleaning-interval

Sets the time interval for the server to remove expired resource records from the cache. The default is 60 minutes.

heartbeat-interval

Sets the time interval used for zone maintenance when the dialup option is set to yes. 60 minutes is the default.

interface-interval

Sets the time interval for the server to scan the network interface list looking for new interfaces or interfaces that have been removed. The default is every 60 minutes.

statistics-interval

Sets the time interval for the server to log statistics. The default is every 60 minutes.

topology

Forces the server to prefer certain remote name servers over others. Normally, the server prefers the remote name server that is topologically closest to itself.

sortlist

Defines a sort algorithm applied to resource records before sending them to the client.

rrset-order

Specifies the ordering used when multiple records are returned for a single query.

The BIND 9 options statement

The BIND 9 syntax of the options command is:

options {
  [ version string; ]
  [ directory pathname; ]
  [ additional-from-auth yes|no; ] 
  [ additional-from-cache yes|no; ]
  [ dump-file pathname; ]
  [ pid-file pathname; ]
  [ statistics-file pathname; ]
  [ auth-nxdomain yes|no; ]
  [ dialup yes|no; ]
  [ notify yes|no|explicit; ] 
  [ notify-source [ip_addr|*] [port ip_port] ; ]
  [ notify-source-v6 [ip_addr|*] [port ip_port] ; ]
  [ recursion yes|no; ]
  [ recursive-clients number; ] 
  [ tcp-clients number; ]
  [ also-notify { address-list; };
  [ forward only|first; ]
  [ forwarders { address-list; }; ]
  [ allow-notify { address_match_list }; ]
  [ allow-query { address_match_list }; ]
  [ allow-transfer { address_match_list }; ]
  [ allow-recursion { address_match_list }; ]
  [ blackhole { address_match_list }; ]
  [ listen-on [ port ip_port ] { address_match_list }; ] 
  [ listen-on-v6 [ port ip_port ] { address_match_list }; ]
  [ port ip_port; ]
  [ query-source [address ip_addr|*] [port ip_port|*] ; ] 
  [ query-source-v6 [address ip6_addr|*] [port ip_port|*] ; ]
  [ lame-ttl number; ]
  [ max-transfer-time-in number; ] 
  [ max-transfer-time-out number; ] 
  [ max-transfer-idle-in number; ] 
  [ max-transfer-idle-out number; ] 
  [ max-refresh-time number; ] 
  [ max-retry-time number; ] 
  [ max-cache-ttl number; ]
  [ max-ncache-ttl number; ]
  [ min-refresh-time number; ] 
  [ min-retry-time number; ]
  [ transfer-format one-answer|many-answers; ]
  [ transfers-in  number; ]
  [ transfers-out number; ]
  [ transfers-per-ns number; ]
  [ transfer-source ip_addr|*] [port ip_port|*]; ] 
  [ transfer-source-v6 ip6_addr|*] [port ip_port|*]; ]
  [ coresize size; ]
  [ datasize size; ]
  [ files size; ]
  [ stacksize size; ]
  [ cleaning-interval number; ]
  [ heartbeat-interval number; ]
  [ interface-interval number; ]
  [ sortlist { address_match_list }; ]
  [ sig-validity-interval number; ]
  [ tkey-dhkey key_name 
                  key_tag; ]
  [ tkey-domain domain; ]
  [ zone-statistics yes|no; ]
};

Many BIND 9 options are the same as those used for BIND 8 and perform exactly the same functions. A few options have been added to BIND 9 to handle IPv6, which is an integral part of BIND 9. These options, listen-on-v6, notify-source-v6, query-source-v6, and transfer-source-v6, perform exactly the same functions as the like-named options do for IPv4. Many BIND 8 options are no longer needed because important functions have been incorporated into the new BIND 9 code. However, the list of options is no shorter because many new options have been added:

additional-from-auth

yes, the default, causes the server to use information from any zone for which it is authoritative when completing the additional data section of a response.

additional-from-cache

yes, the default, causes the server to use information from its cache when completing the additional data section of a response.

notify-source

Defines the address and port used to send NOTIFY messages.

recursive-clients

Defines the maximum number of outstanding recursive lookups the server will perform for its clients. The default is 1000.

tcp-clients

Defines the maximum number of concurrent client connections. The default is 1000.

allow-notify

Identifies the servers that are permitted to send NOTIFY messages to the slave servers.

port

Defines the port number used by the server. The default is standard port 53.

max-transfer-time-out

Defines the maximum time allowed for outbound zone transfers. The default is 2 hours.

max-transfer-idle-in

Defines the maximum time that an inbound zone transfer will be allowed to sit idle. The default is 1 hour.

max-transfer-idle-out

Defines the maximum time that an outbound zone transfer will be allowed to sit idle. The default is 1 hour.

max-refresh-time

Sets the maximum refresh time this server will use when acting as a slave. This value overrides the refresh time set in the SOA record of the zone for which this server acts as a slave.

max-retry-time

Sets the maximum retry time this server will use when acting as a slave. This value overrides the retry time set in the SOA record of the zone for which this server acts as a slave.

max-cache-ttl

Sets the maximum amount of time this server will cache data. This value overrides the TTL values defined in the zone from which the data was retrieved.

min-refresh-time

Sets the minimum refresh time this server will use when acting as a slave. This value overrides the refresh time set in the SOA record of the zone for which this server acts as a slave.

min-retry-time

Sets the minimum retry time this server will use when acting as a slave. This value overrides the retry time set in the SOA record of the zone for which this server acts as a slave.

sig-validity-interval

Defines the amount of time that digital signatures generated for automatic updates will be considered valid. The default is 30 days.

tkey-dhkey

Identifies the Diffie-Hellman key used by the server to generate shared keys.

tkey-domain

Defines the domain name appended to shared keys. Normally this is the server’s domain name.

zone-statistics

yes causes the server to collect statistics on all zones. The default is no.

Options change over time. Check the documentation that comes with the BIND 9 distribution for the latest list of options.

The logging Statement

The logging statement defines the logging options for the server. The logging statement can include two different types of subordinate clauses: the channel clause and the category clause. The BIND 8 syntax of the command is:

logging {
  [ channel channel_name {
     file pathname
       [ versions number|unlimited ]
       [ size size ]
    |syslog kern|user|mail|daemon|auth|syslog|lpr
                |news|uucp|cron|authpriv|ftp
                |local0|local1|local2|local3
                |local4|local5|local6|local7
    |null;

    [ severity critical|error|warning|notice
                 |info|debug [level]|dynamic; ]
    [ print-category yes|no; ]
    [ print-severity yes|no; ]
    [ print-time yes|no; ]
  }; ]

  [ category category_name {
    channel_name; [ channel_name; ... ]
  }; ]
  ...
};

The channel clause defines how logging messages are handled. Messages are written to a file (file), sent to syslog (syslog), or discarded (null). If a file is used, you can specify how many old versions are retained (version), how large the log file is allowed to grow (size), and the severity of the messages written to the log file (severity). You can specify that the time (print-time), category (print-category), and severity (print-severity) of the message be included in the log.

The category clause defines the types of messages sent to the channel. Thus the category clause defines what is logged, and the channel clause defines where it is logged. The categories are listed in Table C-1.

Table C-1. BIND 8 logging categories

Category

Type of messages logged

cname

Messages recording CNAME references.

config

Messages about configuration file processing.

db

Messages that log database operations.

default

Various types of messages. This is the default if nothing is specified.

eventlib

Messages containing debugging data from the event system.

insist

Messages that report internal consistency check failures.

lame-servers

Messages about lame server delegations.

load

Messages about loading the zone.

maintenance

Messages reporting maintenance events.

ncache

Messages about negative caching.

notify

Messages tracing the NOTIFY protocol.

os

Messages reporting operating system problems.

packet

Messages containing dumps of all of the packets sent and received.

panic

Messages generated by a fault that causes the server to shut down.

parser

Messages about configuration command processing.

queries

Messages about every DNS query received.

response-checks

Messages reporting the results of response checking.

security

Messages concerning the application of security criteria. These are most meaningful if allow-update, allow-query, and allow-transfer options are in use.

statistics

Messages containing server statistics.

update

Messages concerning dynamic updates.

xfer-in

Messages recording inbound zone transfers.

xfer-out

Messages recording outbound zone transfers.

The BIND 9 logging statement

The BIND 9 syntax of the logging command is:

logging {
  [ channel channel_name {
     file pathname
       [ versions number|unlimited ]
       [ size size ]
    |syslog kern|user|mail|daemon|auth|syslog|lpr
                |news|uucp|cron|authpriv|ftp
                |local0|local1|local2|local3
                |local4|local5|local6|local7
    |stderr
    |null;

    [ severity critical|error|warning|notice
                 |info|debug [level]|dynamic; ]
    [ print-category yes|no; ]
    [ print-severity yes|no; ]
    [ print-time yes|no; ]
  }; ]

  [ category category_name {
    channel_name; [ channel_name; ... ]
  }; ]
  ...
};

The channel clause is essentially the same as it was in BIND 8 with the addition of stderr as a possible destination for messages. The category clause looks the same, but there has been a major change in the categories supported. One category has been renamed from db to database. A dozen categories are no longer supported: cname, eventlib, insist, load, maintenance, ncache, os, packet, panic, parser, response-check, and statistics. Six new categories have been added:

general

A wide variety of messages.

resolver

Messages relating to DNS resolution.

client

Messages concerning processing of client requests.

network

Messages relating to network operations.

dispatch

Messages that trace packets sent to various server modules.

dnssec

Messages that track the processing of the DNSSEC and TSIG protocols.

The zone Statement

The zone statement identifies the zone being served and defines the source of DNS database information. There are four variants of the zone statement: one for the master server, one for the slave servers, one for the root cache zone, and a special one for forwarding. The BIND 8 syntax of each variant is:

zone domain_name [ in|hs|hesiod|chaos ] { 
  type master;
  file pathname;
  [ forward only|first; ]
  [ forwarders { address-list; }; ]
  [ check-names warn|fail|ignore; ]
  [ allow-update { address_match_list }; ]
  [ allow-query { address_match_list }; ]
  [ allow-transfer { address_match_list }; ]
  [ dialup yes|no; ]
  [ notify yes|no; ]
  [ also-notify { address-list };
  [ ixfr-base pathname; ]
  [ pubkey flags protocol algorithm key; ]
};

zone domain_name [ in|hs|hesiod|chaos ] { 
  type slave|stub;
  [ file pathname; ]
  [ ixfr-base pathname; ]
  masters [port ip_port]{ address-list };
  [ forward only|first; ]
  [ forwarders { address-list; }; ]
  [ check-names warn|fail|ignore; ]
  [ allow-update { address_match_list }; ]
  [ allow-query { address_match_list }; ]
  [ allow-transfer { address_match_list }; ]
  [ transfer-source ip_addr; ]
  [ dialup yes|no; ]
  [ max-transfer-time-in number; ]
  [ notify yes|no; ]
  [ also-notify { address-list };
  [ pubkey flags protocol algorithm key; ]
};

zone "." [ in|hs|hesiod|chaos ] { 
  type hint;
  file pathname;
  [ check-names warn|fail|ignore; ]
};

zone domain_name [in|hs|hesiod|chaos] { 
  type forward;
  [ forward only|first; ]
  [ forwarders { address-list; }; ]
  [ check-names warn|fail|ignore; ]
};

The zone keyword is followed by the name of the domain. For the root cache, the domain name is always ".“. The domain name is followed by the data class. This is always IN for Internet DNS service, which is the default if no value is supplied.

The type clause defines whether this is a master server, a slave server, a forwarded zone, or the hints file for the root cache. A stub server is a slave server that loads only the NS records instead of the entire domain.

The file clause for a master server points to the source file from which the zone is loaded. For the slave server, it points to the file to which the zone is written, and the master clause points to the source of the data written to the file. For the root cache, the file clause points to the hints file used to initialize the cache. A forwarded domain does not have a file clause because no data for the forwarded domain is stored on the local server.

With the exception of the pubkey option, all of the options available for the BIND 8 zone statement are covered earlier in this appendix. When defined in a zone statement, an option applies only to the specific zone. When specified in the options statement, an option applies to all zones. The specific settings for a zone override the global settings of the options statement.

The pubkey option defines the DNSSEC public encryption key for the zone when there is no trusted mechanism for distributing public keys over the network. pubkey defines the DNSSEC flags, protocol, and algorithm as well as a base64-encoded version of the key. The remote server that will be accessing this domain through DNSSEC defines the same settings using the trusted-key command described earlier in this appendix.

The BIND 9 zone statement

The BIND 9 syntax of the four zone statement variants is:

zone domain_name [ in|hs|hesiod|chaos ] { 
  type master;
  file pathname;
  [ forward only|first; ]
  [ forwarders { address-list; }; ]
  [ allow-update { address_match_list }; ] 
  [ allow-update-forwarding { address_match_list }; ]
  [ allow-query { address_match_list }; ]
  [ allow-transfer { address_match_list }; ]
  [ allow-notify { address_match_list }; ]
  [ dialup yes|no; ]
  [ notify yes|no|notify|notify-passive|refresh|passive; ]
  [ also-notify { address-list };
  [ database string; [...] ]
  [ update-policy { policy }; ]
  [ sig-validity-interval number; ]
  [ max-refresh-time number; ] 
  [ max-retry-time number; ] 
  [ max-transfer-idle-out number; ] 
  [ max-transfer-time-out number; ] 
  [ min-refresh-time number; ] 
  [ min-retry-time number; ]
};

zone domain_name [ in|hs|hesiod|chaos ] { 
  type slave|stub;
  [ file pathname; ]
  [ ixfr-base pathname; ]
  masters [port ip_port]{ address-list };
  [ forward only|first; ]
  [ forwarders { address-list; }; ]
  [ check-names warn|fail|ignore; ]
  [ allow-update { address_match_list }; ]
  [ allow-update-forwarding { address_match_list }; ]
  [ allow-query { address_match_list }; ]
  [ allow-transfer { address_match_list }; ]
  [ transfer-source ip_addr; ]
  [ dialup yes|no|notify|notify-passive|refresh|passive; ]
  [ max-transfer-time-in number; ]
  [ notify yes|no; ]
  [ also-notify { address-list };
  [ max-refresh-time number; ] 
  [ max-retry-time number; ] 
  [ max-transfer-idle-in number; ] 
  [ max-transfer-idle-out number; ] 
  [ max-transfer-time-in number; ] 
  [ max-transfer-time-out number; ] 
  [ min-refresh-time number; ] 
  [ min-retry-time number; ]  
  [ transfer-source ip_addr|*] [port ip_port|*]; ] 
  [ transfer-source-v6 ip6_addr|*] [port ip_port|*]; ]
};

zone "." [ in|hs|hesiod|chaos ] { 
  type hint;
  file pathname;
};

zone domain_name [in|hs|hesiod|chaos] { 
  type forward;
  [ forward only|first; ]
  [ forwarders { address-list; }; ]
};

BIND 9 uses the same four zone command variations as does BIND 8. The difference between the two versions of BIND is that they use different options. Most of the options shown in the BIND 9 syntax were explained in the discussion of the BIND 9 options statement. The two options that are unique to the BIND 9 zone statement are:

allow-update-forwarding

Identifies the systems that are allowed to submit dynamic zone updates to a slave that will then be forwarded to the master.

database

Specifies the type of database used for storing zone data. The default is rbt, which is the only database type supported by the standard BIND 9 executable.

The controls Statement

The BIND 8 controls statement defines the control channels used by ndc. ndc can use a Unix socket or a network socket as a control channel. The controls statement defines those sockets. The syntax is:

controls {
  [ inet ip_addr 
    port ip_port 
    allow { address_match_list; }; ]
  [ unix pathname 
    perm file_permissions
    owner uid
    group gid; ]
};

The first three options, inet, port, and allow, define the IP address and the port number of a network socket and the access control list of those systems allowed to control named through that channel. Because BIND 8 has weak authentication, creating a control channel that is accessible from the network is a risky thing to do. Whoever gains access to that channel has control over the name server process.

The last four options, unix, perm, owner, and group, define the Unix control socket. The Unix socket appears as a file in the filesystem. It is identified by a normal file pathname, for example, /var/run/ndc. Like any file, the Unix socket is assigned the user ID (uid) of its owner and a valid group ID (gid). It is protected by standard file permissions. Only numeric uid, gid, and file_permissions values are acceptable. The file_permissions value must start with a 0. For example, to set owner read and write, group read, and world no permissions, the numeric value would be 0640.

The BIND 9 controls statement

The BIND 9 controls statement defines the control channels used by rndc. rndc performs the same functions as the older ndc program, but it can reliably be used over a network. The BIND 9 controls statement is:

controls {
  [ inet ip_addr|*
    port ip_port 
    allow address_match_list;
    keys key_list; ]
};

In BIND 9, the controls statement always defines a network socket. However, strong authentication is used that requires cryptographic keys.

BIND 9 view Statement

The view statement allows the same zone to be viewed differently by different clients. This makes it possible to provide an internal view to clients within an organization, and a more limited, external view to clients in the outside world. The syntax of the view command is:

view view-name {
  match-clients { address_match_list }; 
  [ view-option; ... ]
  [ zone-statement; ... ] 
};
view-name

An arbitrary name used inside the configuration to identify this view. To prevent conflicts with keywords, view-name should be enclosed in quotes, e.g., "internal".

match-clients

Defines the list of clients that will access the zone through this view.

view-option

A standard BIND 9 option. Any option defined inside the view statement applies only to this view. This allows different options to be applied to the same zone depending on which view of the zone is being used.

zone-statement

A standard BIND 9 zone statement. A complete zone statement is embedded inside the view statement to define the zone accessed through this view.

The view statement is available only in BIND 9. BIND 8 does not support views.

Zone File Records

Two types of entries are used to construct a zone file: directives that simplify constructing the file, and standard resource records that define the domain data contained in the zone file. While there are many types of standard resource records, there are only four directives. These are:

$INCLUDE filename

Identifies a file that contains data to be included in the zone file. The data in the included file must be valid directives or standard resource records. $INCLUDE allows a large zone file to be divided into smaller, more manageable units.

The filename specified on the command line is relative to the directory named on the directory option in the named.conf file. For example, if the named.conf file for crab points to /etc with the directory option, and a zone file on crab contains an $INCLUDE events.hosts statement, then the file /etc/events.hosts would be included in that zone file. If you don’t want the filename to be relative to that directory, specify a fully qualified name, such as /usr/dns/events.hosts.

$ORIGIN domainname

Changes the default domain name used by subsequent records in the zone file. Use this command to put more than one domain in a zone file. For example, an $ORIGIN events statement in the wrotethebook.com zone file sets the domain name to events.wrotethebook.com. All subsequent resource records would be relative to this new domain.

The named software uses $ORIGIN statements to organize its own information. Dumping the named database, with ndc dumpdb, produces a single file containing all the information that the server knows. This file, named_dump.db, contains many $ORIGIN entries to place all of the domains that named knows about into a single file.

$TTL time-to-live

Defines the default TTL value used on resource records that do not include a specific TTL. Each zone file should start with a $TTL directive to ensure that all resource records have a valid TTL. A purely numeric time-to-live field defines the TTL in seconds. An alphanumeric time-to-live format can also be used. For example, 1w sets the TTL to one week. The possible values for the alphanumeric format are:

  • w for week

  • d for day

  • h for hour

  • m for minute

  • s for second

$GENERATE range template

Generates resource records for a range of values using a specific resource record template. range is a numeric range of values written in the form low_value - high_value. $GENERATE creates a resource record for each value in range. Thus a range of 1-9 would create nine distinct records. The type of records created is determined by the template. The template is composed of literal values that are written to the resource record exactly as shown in the template, and the symbol $ that is replaced by the current range value before the resource record is written. Therefore, if the current range value is 7 and the template is $ CNAME $.first64, the resource record generated is 7 CNAME 7.first64.

These directives are helpful for organizing and controlling the data in a zone file, but all of the actual database information comes from standard resource records. All of the files pointed to by named.conf contribute to the DNS database, so all of these files are constructed from standard resource records.

Standard Resource Records

The format of standard resource records, sometimes called RRs, is defined in RFC 1033, the Domain Administrators Operations Guide. The format is:

[name] [ttl] class 
               type data

The individual fields in the standard resource record are:

name

This is the name of the object affected by this resource record. The named object can be as specific as an individual host, or as general as an entire domain. The string entered for name is relative to the current domain unless a fully qualified domain name is used.[158]

Certain name values have special meaning. These are:

A blank name field denotes the current named object. The current name stays in force until a new name value is encountered in the name field. This permits multiple RRs to be applied to a single object without having to repeat the object’s name for each record.

..

Two dots in the name field refer to the root domain. However, a single dot (the actual name of the root) also refers to the root domain, and is more commonly used.

@

A single at-sign (@) in the name field refers to the current origin. The origin is a domain name derived by the system from the current domain name, or explicitly set by the system administrator using the $ORIGIN command.

*

An asterisk in the name field is a wildcard character. It stands for a name composed of any string. It can be combined with a domain name or used alone. Used alone, an asterisk in the named field means that the resource record applies to objects with names composed of any string of characters plus the name of the current domain. Used with a domain name, the asterisk is relative to that domain. For example, *.uucp. in the name field means any string plus the string .uucp.

ttl

Time-to-live defines the length of time that the information in this resource record should be kept in the cache. When ttl is specified as a purely numeric value, it defines the length of time in seconds. ttl can also use the alphanumeric format described for the $TTL directive. If no value is set for ttl, it defaults to the value defined for the entire zone file by the $TTL directive.

class

This field defines the address class of the resource record. The Internet address class is IN. All resource records used by Internet DNS have IN in this field, but it is possible for a zone file to hold non-Internet information. For example, information used by the Hesiod server, a name server developed at MIT, is identified by HS in the class field, and chaosnet information is identified by a CH in the class field. All resource records used in this book have an address class of IN.

type

This field indicates the type of data this record provides. For example, the A type RR provides the address of the host identified in the name field. The most common standard resource record types are discussed in the following sections.

data

This field contains the information specific to the resource record. The format and content of the data field vary according to the resource record type. The data field is the meat of the RR. For example, in an A record, the data field contains the IP address.

In addition to the special characters that have meaning in the name field, zone file records use these other special characters:

;

The semicolon is the comment character. Use the semicolon to indicate that the remaining data on the line is a comment.

( )

Parentheses are the continuation characters. Use parentheses to continue data beyond a single line. After an opening parenthesis, all data on subsequent lines is considered part of the current line until a closing parenthesis.

\ x

The backslash is an escape character. A non-numeric character following a backslash (\) is taken literally, and any special meaning that the character may ordinarily have is ignored. For example, \; means a semicolon—not a comment.

\ ddd

The backslash can also be followed by three decimal numbers. When the escape character is used in this manner, the decimal numbers are interpreted as an absolute byte value. For example, \255 means the byte value 11111111.

The same general resource record format is used for each of the resource records in a zone file. The most commonly used resource records are described below.[159]

Start of Authority record

The Start of Authority (SOA) record marks the beginning of a zone, and is usually the first record in a zone file. All of the records that follow are part of the zone declared by the SOA. Each zone has only one SOA record; the next SOA record encountered marks the beginning of another zone. Because a zone file is normally associated with a single zone, it normally contains only one SOA record.

The format of the SOA record is:

[zone] [ttl] IN SOA origin contact  ( 
                    serial
                  refresh
                    retry
                  expire 
                  negative_cache_ttl  )

The components of the SOA record are:

zone

This is the name of the zone. Usually the SOA name field contains an at-sign (@). When used in an SOA record, the at-sign refers back to the domain name declared in the named.conf zone statement that points to this zone file.

ttl

Time-to-live is left blank on the SOA record.

IN

The address class is IN for all Internet RRs.

SOA

SOA is the resource record type. All the information that follows this is part of the data field and is specific to the SOA record.

origin

This is the hostname of the master server for this domain. It is normally written as a fully qualified domain name. For example, crab is the master server for wrotethebook.com, so this field contains crab.wrotethebook.com. in the SOA record for wrotethebook.com.

contact

The email address of the person responsible for this domain is entered in this field. The address is modified slightly. The at-sign (@) that usually appears in an Internet email address is replaced by a dot. Therefore, if david@crab.wrotethebook.com is the mailing address of the administrator of the wrotethebook.com domain, the wrotethebook.com SOA record contains david.crab.wrotethebook.com. in the contact field.

serial

This is the version number of the zone file. It is a ten-digit numeric field usually entered as a simple number, e.g., 117. However, the composition of the number is up to the administrator. Some choose a format that shows the date the zone was updated, e.g., 2001061800. Regardless of the format, the important thing is that the serial number must increase every time the data in the zone file is modified.

The serial field is extremely important. It is used by the slave servers to determine if the zone file has been updated. To make this determination, a slave server requests the SOA record from the master server and compares the serial number of the data it has stored to the serial number received from the master server. If the serial number has increased, the slave server requests a full zone transfer. Otherwise it assumes that it has the most current zone data. You must increment the serial number each time you update the zone data. If you don’t, the new data may not be disseminated to the slave servers.

refresh

This specifies the length of time that the slave server should wait before checking with the master server to see if the zone has been updated. Every refresh seconds, the slave server checks the SOA serial number to see if the zone file needs to be reloaded. Slave servers check the serial numbers of their zones whenever they restart. But it is important to keep the slave server’s database current with the master server, so named does not rely on these unpredictable events. The refresh interval provides a predictable cycle for reloading the zone that is controlled by the domain administrator.

The value used in refresh is a number, up to eight digits long, that is the maximum number of seconds that the master and slave servers’ databases can be out of sync. A low refresh value keeps the data on the servers closely synchronized, but a very low refresh value is not usually required. A value set lower than needed places an unnecessary burden on the network and the slave servers. The value used in refresh should reflect the reality of how often your DNS database is updated.

Most sites’ DNS databases are very stable. Systems are added periodically, but not generally on an hourly basis. When you are adding a new system, you can assign the hostname and address of that system before the system is operational. You can then install this information in the name server database before it is actually needed, ensuring that it is disseminated to the slave servers long before it has to be used.

If extensive changes are planned, the refresh time can be temporarily reduced while the changes are underway. Therefore, you can normally set refresh time high, reducing load on the network and servers. Two (43200 seconds) to four (21600 seconds) times a day for refresh is adequate for many sites.

The process of retrieving the SOA record, evaluating the serial number, and, if necessary, downloading the zone file is called a zone refresh. Thus the name refresh is used for this value.

retry

This defines how long slave servers should wait before trying again if the master server fails to respond to a request for a zone refresh. retry is specified in seconds and can be up to eight digits long.

You should not set the retry value too low. If a master server fails to respond, the server or the network could be down. Quickly retrying a down system gains nothing and costs network resources. A slave server that backs up a large number of zones can have problems when retry values are short. If the slave server cannot reach the master servers for several of its zones, it can become stuck in a retry loop.[160] Avoid problems; use an hour (3600) or a half hour (1800) for the retry value.

expire

This defines how long the zone’s data should be retained by the slave servers without receiving a zone refresh. The value is specified in seconds and is up to eight digits long. If after expire seconds the slave server has been unable to refresh this zone, it should discard all of the data.

expire is normally a very large value. 604800 seconds (about one week) is commonly used. This says that if there has been no answer from the master server to refresh requests repeated every retry seconds for the last 7 days, discard the data. Seven days is a good value, but much longer values are not unusual.

negative_cache_ttl

The negative_cache_ttl field of the SOA record is the default time-to-live for negative information about this domain that is cached by remote servers. All servers cache answers and use those answers to respond to subsequent queries. Most of the answers cached by a server are standard resource records. Yet a name server can learn from an authoritative server that a specific resource record does not exist. This is also valuable information that should be cached.

The server keeps cached records as long as they are valid, and the TTL defines how long that is. Each resource record has a TTL, either a TTL defined specifically for that record or the default TTL defined by the $TTL directive. However, there is no resource record for negative information and thus no explicit TTL. It is the negative_cache_ttl that tells remote servers how long to cache negative information.

The negative_cache_ttl value is usually set to between 5 and 15 minutes. This is long enough to prevent repeated queries for nonexistent information from causing your server any trouble, but short enough for repeated queries caused by a remote user who knows that a system with a certain name will soon come online.

Most of the fields in the SOA record provide values used to keep the slave servers synchronized with the master server. These values are used to guarantee that the slave will periodically pull a copy of the zone from the master server. In addition to this, and completely independent of the settings on the SOA record, the master notifies the slaves when the zone is updated in order to push a copy of the zone down to the slave. Combining the master-initiated zone push and the slave-initiated zone pull ensures that the zone files on the master and its slaves stay tightly synchronized.

A sample SOA record for the wrotethebook.com domain is:

@    IN  SOA  crab.wrotethebook.com. david.crab.wrotethebook.com. ( 
              2001061801             ; serial 
              21600                  ; refresh four times a day 
              1800                   ; retry every half hour 
              604800                 ; expire after 1 week 
              900                    ; negative cache ttl is 15 minutes
)

Notice the serial number in this SOA. The serial number is in the format yyyymmddvv, where yyyy is the year, mm is the month, dd is the day, and vv is the version written that day. This type of serial number allows the administrator to track what day the zone was updated. Adding the version number allows for multiple updates in a single day. This zone file was created June 18, 2001, and it is the first update that day.

This SOA record also says that crab is the master server for this zone and that the person responsible for this zone can be reached at the email address david@crab.wrotethebook.com. The SOA tells the slave servers to check the zone for changes four times a day and to retry every half hour if they don’t get an answer. If they retry for an entire week and never get an answer, they should discard the data for this zone. Finally, if an RR does not exist in this zone and the remote server decides to cache that information, it should cache that information for 15 minutes.

Name Server record

Name Server (NS) resource records identify the authoritative servers for a zone. These records are the pointers that link the domain hierarchy together. NS records in the top-level domains point to the servers for the second-level domains, which in turn contain NS records that point to the servers for their subdomains. Name server records pointing to the servers for subordinate domains are required for these domains to be accessible. Without NS records, the servers for a domain would be unknown.

The format of the NS RR is:

[domain] [ttl] IN NS server
domain

The name of the domain for which the host specified in the server field is an authoritative name server.

ttl

Time-to-live is usually blank.

IN

The address class is IN.

NS

The name server resource record type is NS.

server

The hostname of a computer that provides authoritative name service for this domain.

Usually domains have at least one server that is located outside the local domain. The server name cannot be specified relative to the local domain; it must be specified as a fully qualified domain name. To be consistent, many administrators use fully qualified names for all servers, even though it is not necessary for servers within the local domain.

Address record

The majority of the resource records in a forward-mapping zone file[161] are address records. Address records are used to convert hostnames to IP addresses, which is the most common use of the DNS database.

The address RR contains the following:

 [host] [ttl] IN A address
host

The name of the host whose address is provided in the data field of this record. Most often the hostname is written relative to the current domain.

ttl

Time-to-live is usually blank.

IN

The address class is IN.

A

The address resource record type is A.

address

The IP address of the host is written here in dotted decimal form, e.g., 172.16.12.2.

A glue record is a special type of address record. Most address records refer to hosts within the zone, but sometimes an address record needs to refer to a host in another zone. This is done to provide the address of a name server for a subordinate domain. Recall that the NS record for a subdomain server identifies the server by name. An address is needed to communicate with that server, so an A record must also be provided. The address record, combined with the name server record, links the domains together—thus the term “glue record.”

Mail Exchanger record

The Mail Exchanger (MX) record redirects mail to a mail server. It can redirect mail for an individual computer or an entire domain. MX records are extremely useful for domains that contain some systems that don’t run SMTP server software. Mail addressed to those systems can be redirected to computers that do run server software. MX records are also used to simplify mail addressing by redirecting mail to servers that understand the simplified addresses.

The format of the MX RR is:

[name] [ttl] IN MX preference host
name

The name of a host or domain to which the mail is addressed. Think of this as the value that occurs after the @ in a mailing address. Mail addressed to this name is sent to the mail server specified by the MX record’s host field.

ttl

Time-to-live is usually blank.

IN

The address class is IN.

MX

The mail exchanger resource record type is MX.

preference

A host or domain may have more than one MX record associated with it. The preference field specifies the order in which the mail servers are tried. Servers with low preference numbers are tried first, so the most preferred server has a preference of 0. Preference values are usually assigned in increments of 5 or 10, so that new servers can be inserted between existing servers without editing the old MX records.

host

The name of the mail server to which mail is delivered when it is addressed to the host or domain identified in the name field.

Here is how MX records work. If a remote system has mail to send to a host, it requests the host’s MX records. DNS returns all of the MX records for the specified host. The remote server chooses the MX with the lowest preference value and attempts to deliver the mail to that server. If it cannot connect to that server, it will try each of the remaining servers in preference order until it can deliver the mail. If no MX records are returned by DNS, the remote server delivers the mail directly to the host to which the mail is addressed. MX records only define how to redirect mail. The remote system and the mail server perform all of the processing that actually delivers the mail.

Because the remote system will first try to use an MX record, many domain administrators include MX records for every host in the zone. Many of these MX records point right back to the host to which the mail is addressed, e.g., an MX for crab with a host field of crab.wrotethebook.com. These records are used to ensure that the remote computer first attempts delivery to the host, and uses the MX server only if the host cannot accept the mail.

An important use for MX records is to allow mail to non-Internet sites to be delivered using Internet-style addressing. MX records do this by redirecting the mail to computers that know how to deliver the mail to non-Internet networks. For example, sites using uucp can register an Internet domain name with UUNET. UUNET uses MX records to redirect Internet mail addressed to these non-connected sites to uunet.uu.net, which delivers the mail to its final destination via uucp.

Here are some MX examples. All of these examples are for the imaginary domain wrotethebook.com. In the first example, mail addressed to clock.wrotethebook.com is redirected to crab.wrotethebook.com with this MX record:

 clock IN MX 10 crab

The second example is an MX record used to simplify mail addressing. People can send mail to any user in this domain without knowing the specific computer that the user reads his mail on. Mail addressed to user@wrotethebook.com is redirected by this MX record to crab, which is a mail server that knows how to deliver mail to every individual user in the domain.

 wrotethebook.com. IN MX 10 crab.wrotethebook.com.

The last example is an MX record that redirects mail addressed to any host within the domain to a central mail server. Mail addressed to any host, horseshoe.wrotethebook.com, 24seven.wrotethebook.com, or anything.wrotethebook.com, is redirected to crab. This is the most common use of the wildcard character (*).

 *.wrotethebook.com. IN MX 10 crab.wrotethebook.com.

In these examples, the preference is 10 so that a mail server with a lower preference number can be added to the zone without changing the existing MX record. Also notice that the hostnames in the first example are specified relative to the wrotethebook.com domain, but the other names are not relative because they end in a dot. All of these names could have been entered as relative names because they all are hosts in the wrotethebook.com domain; fully qualified names were used only to vary the examples. Finally, the wildcard MX record applies only to hosts that do not have specific MX records. If the specific record for clock is in the same configuration as the wildcard record, the wildcard MX does not apply to clock.

Canonical Name record

The Canonical Name (CNAME) resource record defines an alias for the official name of a host. The CNAME record provides a facility similar to nicknames in the host table. The facility provides alternate hostnames for the convenience of users, and generic hostnames used by applications (such as loghost used by syslogd).

The CNAME record is frequently used to ease the transition from an old hostname to a new hostname. While it is best to avoid hostname changes by carefully choosing hostnames in the first place, not all changes can be avoided. When you do make a name change, it can take a long time before it becomes completely effective, particularly if the hostname is embedded in a mailing list run at a remote site. To reduce problems for the remote site, use a CNAME record until they can make the change.

The format of the CNAME record is:

                  nickname [ttl] IN CNAME host
nickname

This hostname is an alias for the official hostname defined in the host field. The nickname can be any valid hostname.

ttl

Time-to-live is usually blank.

IN

The address class is IN.

CNAME

The canonical name resource record type is CNAME.

host

The canonical name of the host is provided here. This hostname must be the official hostname; it cannot be an alias.

One important thing to remember about the CNAME record is that all other resource records must be associated with the official hostname and not with the nickname. This means that the CNAME record should not be placed between a host and the list of RRs associated with that host. The example below shows a correctly placed CNAME record:

rodent     IN    A       172.16.12.2 
           IN    MX      5 rodent.wrotethebook.com. 
           IN    RP      alana.wrotethebook.com. alana 
           IN    TXT     "Linux workstation in room A15"
mouse      IN    CNAME   rodent.wrotethebook.com.

In this example, the hostname rodent stays in force for the MX, RP, and TXT records because they all have blank name fields. The CNAME record changes the name field value to mouse, which is a nickname for rodent. Any RRs with blank name fields following this CNAME record would associate themselves with the nickname mouse, which is illegal. An improper CNAME placement is:

rodent     IN    A       172.16.12.2 
mouse      IN    CNAME   rodent.wrotethebook.com. 
           IN    MX      5 rodent.wrotethebook.com. 
           IN    RP      alana.wrotethebook.com. alana 
           IN    TXT     "Linux workstation in room A15"

This improperly placed CNAME record causes named to display the error message “mouse.wrotethebook.com has CNAME and other data (illegal).” Check /var/adm/messages for named error messages to ensure that you have not misplaced any CNAME records.

Domain Name Pointer record

The Domain Name Pointer (PTR) resource records are used to convert numeric IP addresses to hostnames. This is the opposite of what is done by the address record that converts hostnames to addresses. PTR records are used to construct the in-addr.arpa reverse domain files.

Many administrators ignore the reverse domains because things appear to run fine without them. Don’t ignore them. Keep these zones up to date. Several programs use the reverse domains to map IP addresses to hostnames when preparing status displays. A good example is the netstat command. Some service providers use the reverse domains to track who is using their services. If they cannot map your IP address back to a hostname, they reject your connection.

The format of the PTR record is:

                  name [ttl] IN PTR host
name

The name specified here is actually a number. The number is defined relative to the current in-addr.arpa domain. Names in an in-addr.arpa domain are IP addresses specified in reverse order. If the current domain is 16.172.in-addr.arpa, then the name field for rodent (172.16.12.2) is 2.12. These digits (2.12) are added to the current domain (16.172.in-addr.arpa) to make the name 2.12.16.172.in-addr.arpa. Chapter 4 discusses the unique structure of in-addr.arpa domain names.

ttl

Time-to-live is usually blank.

IN

The address class is IN.

PTR

The Domain Name Pointer resource record type is PTR.

host

This is the fully qualified domain name of the computer whose address is specified in the name field. The host must be specified as a fully qualified name because the name cannot be relative to the current in-addr.arpa domain.

There are many examples of PTR records in the sample reverse-mapping zone file (172.16.rev) shown in Chapter 8.

Responsible Person record

The Responsible Person (RP) record identifies the point of contact for a host or domain. The format of the RP record is:

[name] [ttl] IN RP mail_address text_pointer
name

The name of the domain object for which the responsible person is defined.

ttl

Time-to-live is usually blank.

IN

The address class is IN.

RP

The resource record type is RP.

mail_address

The email address of the responsible person. The @ usually included in an email address is replaced with a dot. Thus, craig@wrotethebook.com becomes craig.wrotethebook.com.

text_pointer

The domain name of a TXT record that contains additional information about the responsible person.

Here’s an example of how an RP record is used with a TXT record:

crab.wrotethebook.com.   IN RP  craig.wrotethebook.com. crabRP
crabRP.wrotethebook.com. IN TXT "Craig Hunt (301)555-1234 X237"

The RP record states that the person responsible for crab.wrotethebook.com can be reached via email at craig@wrotethebook.com and that additional information about the person can be obtained in the TXT records for crabRP.wrotethebook.com. The TXT record provides the contact person’s name and phone number.

Text record

The Text (TXT) resource record holds string data. The text data can be in any format. Some sites define a local format for the information. For example, a TXT record could hold the Ethernet address of a host at one site and a room number at another site.

The format of the TXT record is:

[name] [ttl] IN TXT string
name

The name of the domain object with which the string data is associated.

ttl

Time-to-live is usually blank.

IN

The address class is IN.

TXT

The resource record type is TXT.

string

The string field contains text data enclosed in quotation marks.

Host Information record

The Host Information (HINFO) resource record provides a short description of the hardware and operating system used by a specific host. The hardware and software are described using standard terminology defined in the Assigned Numbers RFC in the sections on Machine Names (hardware) and System Names (software). There are a large number of hardware and software designators listed in the RFC. Most names use the same general format. Names with embedded blanks must be enclosed in quotes, so some names have a dash (-) where you might expect a blank. A machine name is usually the manufacturer’s name in uppercase letters separated from the model number by a dash. The system name is usually the manufacturer’s operating system name written in uppercase letters. Naturally the rapid changes in the computer market constantly make the data in the Assigned Numbers RFC out of date. Because of this, many administrators make up their own values for machine names and system names.

The format of the HINFO record is:

[host] [ttl] IN HINFO hardware software
host

The hostname of the computer whose hardware and software are described in the data section of this resource record.

ttl

Time-to-live is usually blank.

IN

The address class is IN.

HINFO

HINFO is the resource record type. All of the information that follows is part of the HINFO data field.

hardware

This field identifies the hardware used by this host. It contains the machine name defined in the Assigned Numbers RFC. This field must be enclosed in quotes if it contains any blanks. A single blank space separates the hardware field from the software field that follows it.

software

This field identifies the operating system software this host runs. It contains the system name defined for this operating system in the Assigned Numbers RFC. Use quotes if the system name contains any blanks.

No widely used application makes use of the HINFO record; the record just provides information. Some security-conscious sites discourage its use. They fear that this additional information helps intruders narrow their attacks to the specific hardware and operating system that they wish to crack. The general-purpose TXT record is more often used to provide information about systems than is the HINFO record.

Well-Known Services record

The Well-Known Services (WKS) resource record names the network services supported by the specified host. The official protocol names and services names used on the WKS record are defined in the Assigned Numbers RFC. The simplest way to list the names of the well-known services is to cat the /etc/services file on your system. Each host can have no more than two WKS records; one record for TCP and one for UDP. Because several services are usually listed on the WKS record, each record may extend through multiple lines.

The format of the WKS record is:

[host] [ttl] IN WKS address protocol services
host

The hostname of the computer that provides the advertised services.

ttl

Time-to-live is usually blank.

IN

The address class is IN.

WKS

The resource record type is WKS. All of the information that follows is variable information for the WKS record.

address

The IP address of the host written in dotted decimal format, e.g., 172.16.12.2.

protocol

The transport-level protocol through which the service communicates—either TCP or UDP.

services

The list of services provided by this host. As few or as many services as you choose may be advertised, but the names used to advertise the services must be the names found in the /etc/services file. Items in the list of services are separated by spaces. Parentheses are used to continue the list beyond a single line.

There are no widely used applications that make use of this record. It is used only to provide general information about the system. Again, security-conscious sites may not wish to advertise their services. Some protocols, such as tftp and finger, are prime targets for intruders. The SRV record is more useful for providing information about the services offered by a specific server.

Server Selection record

The Server Selection (SRV) record provides a standardized way to locate network servers. The SRV record provides a standard convention for creating generic server names, and it adds features for server selection and load-balancing. The format of the SRV record is:

                  name [ttl] IN SRV preference weight port server
name

The SRV record has a unique _ service ._ protocol . name format. Dots are used to separate the components in the name field just as in any domain name. The underscore characters (_) are used to prevent the service name and the protocol name from colliding with real domain names. service is the name of the offered service as listed in the /etc/services file. protocol is the protocol name associated with that service in the /etc/services file. name is a standard host or domain name that would be found in any name field. Using these criteria, the name that could be used to find the FTP servers for the wrotethebook.com domain would be _ftp._tcp.wrotethebook.com.

ttl

Time-to-live is usually blank.

IN

The address class is IN.

SRV

The resource record type is SRV.

preference

A number used to select the most preferred server when multiple SRV records exist for the same service. The server with the lowest number is the most preferred. All traffic is sent to the most preferred servers; servers with a higher preference number are used only if the preferred servers are not available.

weight

A number that defines the share of traffic sent to a server, with 1 being the base. If server A has a weight of 1 and server B has a weight of 2, B gets twice as much traffic as A. weight is used only to balance the load among servers with the same preference number.

port

The port number used for the specified service. Normally, this is the port number defined in the /etc/services file for the specified service. But it is possible to specify a nonstandard port number for services equipped to use nonstandard numbers.

server

The canonical hostname of the computer running the requested service.


[157] Sun systems use in.named instead of named.

[158] The FQDN must be specified all the way to the root; i.e., it must end with a dot.

[159] There are more than 40 RRs, most of which are not used. For a description of all of them, see Linux DNS Administration by Craig Hunt (Sybex).

[160] The server may alternate between periods when it fails to respond and when it resolves queries, or it may display the error “too many open files.”

[161] Chapter 8 describes the various named configuration files.