Author(s): Cricket Liu, Paul Albitz
Edition: Fifth
Publisher: O’Reilly
Year: 2006
Language: English
Pages: 642
City: New York
Table of Contents......Page 7
Preface......Page 13
What’s New in the Fifth Edition?......Page 15
Organization......Page 16
Audience......Page 18
Obtaining the Example Programs......Page 19
Conventions Used in This Book......Page 20
Safari® Enabled......Page 21
Acknowledgments......Page 22
A (Very) Brief History of the Internet......Page 25
On the Internet and Internets......Page 26
The History of the Domain Name System......Page 27
The Domain Name System, in a Nutshell......Page 28
Must I Use DNS?......Page 33
The Domain Namespace......Page 35
Domain Names......Page 36
Domains......Page 37
Resource Records......Page 40
Top-Level Domains......Page 41
Country-code top-level domains......Page 42
Further Down......Page 43
Reading Domain Names......Page 44
Delegation......Page 45
Nameservers and Zones......Page 46
Types of Nameservers......Page 49
Resolvers......Page 50
Root Nameservers......Page 51
Recursion......Page 53
Choosing Between Authoritative Nameservers......Page 54
The Whole Enchilada......Page 55
Mapping Addresses to Names......Page 56
Caching......Page 58
Time to Live......Page 59
Getting BIND......Page 61
Handy Mailing Lists and Usenet Newsgroups......Page 63
Finding IP Addresses......Page 64
On Registrars and Registries......Page 65
Where in the World Do I Fit?......Page 66
whois......Page 67
Back in the U.S.A.......Page 68
The generic top-level domains......Page 70
Choosing a registrar......Page 71
Checking That Your Network Is Registered......Page 72
Registering Your Zones......Page 74
Our Zone......Page 77
Setting Up Zone Data......Page 78
The Zone Datafiles......Page 79
Setting the Zone’s Default TTL......Page 80
SOA Records......Page 81
Address and Alias Records......Page 82
PTR Records......Page 84
The Completed Zone Datafiles......Page 85
The Loopback Address......Page 86
The Root Hints Data......Page 87
Setting Up a BIND Configuration File......Page 89
The @ Notation......Page 92
The Shortened Zone Datafiles......Page 93
Hostname Checking......Page 95
Tools......Page 97
Running a Primary Nameserver......Page 98
Check for Syslog Errors......Page 99
Testing Your Setup with nslookup......Page 100
Look up a local domain name......Page 101
One more test......Page 102
Editing the Startup Files......Page 104
Running a Slave Nameserver......Page 105
Setup......Page 106
Backup Files......Page 108
SOA Values......Page 109
Multiple Master Servers......Page 111
What’s Next?......Page 112
DNS and Electronic Mail......Page 113
MX Records......Page 114
What’s a Mail Exchanger, Again?......Page 116
The MX Algorithm......Page 118
DNS and Email Authentication......Page 120
The Sender Policy Framework......Page 121
The Resolver......Page 124
The Local Domain Name......Page 125
The Search List......Page 126
The BIND 4.9 and later search list......Page 127
The search Directive......Page 128
The nameserver Directive......Page 129
More than one nameserver configured......Page 131
The sortlist Directive......Page 133
The options Directive......Page 134
Comments......Page 135
Resolver Only......Page 136
Local Nameserver......Page 137
Minimizing Pain and Suffering......Page 138
Differences in Service Behavior......Page 139
Electronic Mail......Page 140
Updating .rhosts, hosts.equiv, etc.......Page 141
Providing Aliases......Page 142
nsswitch.conf......Page 143
The Windows XP Resolver......Page 144
Caching......Page 148
Subnet Prioritization......Page 149
Controlling the Nameserver......Page 151
ndc and controls (BIND 8)......Page 152
rndc and controls (BIND 9)......Page 155
Using rndc to control multiple servers......Page 157
New rndc commands......Page 158
Using Signals......Page 159
Updating Zone Datafiles......Page 160
SOA Serial Numbers......Page 161
Starting Over with a New Serial Number......Page 162
Responsible Person......Page 164
Generating Zone Datafiles from the Host Table......Page 165
Organizing Your Files......Page 167
Using Several Directories......Page 168
Changing the Origin in a Zone Datafile......Page 170
Changing System File Locations......Page 171
Logging......Page 172
The logging Statement......Page 175
Channel Details......Page 176
syslog channels......Page 177
BIND 8 categories......Page 178
BIND 9 categories......Page 180
Viewing all category messages......Page 181
Keeping Everything Running Smoothly......Page 182
Common Syslog Messages......Page 183
Understanding the BIND Statistics......Page 190
BIND 8 statistics......Page 192
BIND 9 statistics......Page 199
Using the BIND statistics......Page 200
How Many Nameservers?......Page 201
Where Do I Put My Nameservers?......Page 202
Capacity Planning......Page 204
Primary Master and Slave Servers......Page 209
Caching-Only Servers......Page 211
Partial-Slave Servers......Page 212
Registering Nameservers......Page 213
Changing TTLs......Page 216
Changing Other SOA Values......Page 218
Outages......Page 219
Recommendations......Page 221
Long Outages (Days)......Page 222
Really Long Outages (Weeks)......Page 223
Parenting......Page 225
How Many Children?......Page 226
What to Name Your Children......Page 227
How to Become a Parent: Creating Subdomains......Page 228
Creating a Subdomain in the Parent’s Zone......Page 229
Creating and Delegating a Subdomain......Page 230
An fx.movie.edu Slave......Page 234
On the movie.edu Primary Nameserver......Page 235
Delegating an in-addr.arpa Zone......Page 236
Adding a movie.edu Slave......Page 237
Subdomains of in-addr.arpa Domains......Page 238
Subnetting on a Nonoctet Boundary......Page 239
/24 (Class C–sized) networks......Page 240
Using host......Page 244
Managing Delegation......Page 245
Managing delegation with stubs......Page 246
Managing the Transition to Subdomains......Page 247
Removing Parent Aliases......Page 248
The Life of a Parent......Page 249
Address Match Lists and ACLs......Page 250
DNS Dynamic Update......Page 252
Dynamic Update and Zone Datafiles......Page 254
Update Access Control Lists......Page 255
TSIG-Signed Updates......Page 256
DNS NOTIFY (Zone Change Notification)......Page 259
Incremental Zone Transfer (IXFR)......Page 264
IXFR from Differences......Page 265
BIND 8 IXFR Configuration......Page 266
BIND 9 IXFR Configuration......Page 267
Forwarding......Page 268
A More Restricted Nameserver......Page 269
Forward Zones......Page 270
Views......Page 271
Round-Robin Load Distribution......Page 274
Multiple CNAMEs......Page 275
The rrset-order Substatement......Page 276
Nameserver Address Sorting......Page 277
Preferring Nameservers on Certain Networks......Page 279
A Nonrecursive Nameserver......Page 280
Avoiding a Bogus Nameserver......Page 281
Limiting transfers requested per nameserver......Page 282
Limiting the total number of zone transfers requested......Page 283
Limiting the duration of a zone transfer......Page 284
More efficient zone transfers......Page 285
Changing the data segment size limit......Page 286
Changing the core size limit......Page 287
Limiting the number of clients......Page 288
Cleaning interval......Page 289
TTLs......Page 290
Compatibility......Page 291
The ABCs of IPv6 Addressing......Page 292
Configuring the IPv4 Transport......Page 294
Configuring the IPv6 Transport......Page 297
IPv6 Forward and Reverse Mapping......Page 298
AAAA and ip6.arpa......Page 299
A6 records and forward mapping......Page 300
DNAME records and reverse mapping......Page 302
Security......Page 306
One-Way Hash Functions......Page 307
Configuring TSIG......Page 308
Using TSIG......Page 310
BIND Version......Page 311
Restricting all queries......Page 313
Preventing Unauthorized Zone Transfers......Page 314
Running BIND with Least Privilege......Page 316
“Advertising” nameserver configuration......Page 318
“Resolving” nameserver configuration......Page 319
Two Nameservers in One......Page 320
DNS and Internet Firewalls......Page 324
Packet filters......Page 325
Proxies......Page 326
A Bad Example......Page 327
Internet Forwarders......Page 328
The trouble with forwarding......Page 330
Using forward zones......Page 332
Where to put internal root nameservers......Page 333
in-addr.arpa delegation......Page 334
The db.root file......Page 335
Configuring other internal nameservers......Page 336
Mail from internal hosts to the Internet......Page 337
Mail to specific Internet domain names......Page 338
A Split Namespace......Page 339
Configuring the bastion host......Page 341
The final configuration......Page 343
Using views on the bastion host......Page 345
The DNS Security Extensions......Page 346
Public-Key Cryptography and Digital Signatures......Page 347
The DNSKEY Record......Page 348
The RRSIG Record......Page 350
The NSEC Record......Page 352
The DS Record and the Chain of Trust......Page 354
Delegating to unsigned zones......Page 356
DO, AD, and CD......Page 357
How the Records Are Used......Page 358
Zone-Signing Keys and Key-Signing Keys......Page 359
Generating your key pairs......Page 360
Signing your zone......Page 361
Sending your keys to be signed......Page 364
Signing a parent zone......Page 365
DNSSEC and Dynamic Update......Page 366
Changing Keys......Page 370
What Was That All About?......Page 372
Is nslookup a Good Tool?......Page 373
The Search List......Page 374
Interactive Versus Noninteractive......Page 375
Option Settings......Page 376
The .nslookuprc File......Page 378
Looking Up Different Record Types......Page 379
Authoritative Versus Nonauthoritative Answers......Page 380
Switching Nameservers......Page 381
Less Common Tasks......Page 382
Showing the Query and Response Messages......Page 383
Querying Like a BIND Nameserver......Page 385
Zone Transfers......Page 388
Looking Up the Right Data......Page 390
No Response from Server......Page 391
Query Refused......Page 392
Finding Out What Is Being Looked Up......Page 393
Best of the Net......Page 394
Using dig......Page 395
dig’s Output Format......Page 396
Zone Transfers with dig......Page 398
dig Options......Page 399
Debugging Levels......Page 400
BIND 8 debugging levels......Page 401
BIND 9 debugging levels......Page 402
Turning On Debugging......Page 403
Nameserver Startup (BIND 8, Debug Level 1)......Page 404
Nameserver Startup (BIND 9, Debug Level 1)......Page 407
A Successful Lookup (BIND 8, Debug Level 1)......Page 409
A Successful Lookup with Retransmissions (BIND 8, Debug Level 1)......Page 412
A Slave Nameserver Checking Its Zone (BIND 8, Debug Level 1)......Page 413
A Slave Nameserver Checking Its Zone (BIND 9 Debug Level 1)......Page 416
The Resolver Search Algorithm and Negative Caching (BIND 8)......Page 417
The Resolver Search Algorithm and Negative Caching (BIND 9)......Page 418
Tools......Page 419
Is NIS Really Your Problem?......Page 420
How to Use named-xfer......Page 421
What if I Don’t Have named-xfer?......Page 423
How to Read a BIND 8 Database Dump......Page 424
How to Read a BIND 9 Database Dump......Page 428
Logging Queries......Page 432
1. Forgot to Increment Serial Number......Page 433
3. Slave Nameserver Can’t Load Zone Data......Page 435
4. Added Name to Zone Datafile but Forgot to Add PTR Record......Page 437
5. Syntax Error in Configuration File or Zone Datafile......Page 438
6. Missing Dot at the End of a Domain Name in a Zone Datafile......Page 440
8. Loss of Network Connectivity......Page 441
9. Missing Subdomain Delegation......Page 443
10. Incorrect Subdomain Delegation......Page 444
11. Syntax Error in resolv.conf......Page 447
12. Local Domain Name Not Set......Page 448
Resolver Behavior......Page 450
Zone Transfer Fails Because of Proprietary WINS Record......Page 451
Nameserver Reports “no NS RR for SOA MNAME”......Page 452
Resolver Reports “asked for PTR, got CNAME”......Page 453
Other Nameservers Don’t Cache Your Negative Answers......Page 454
TSIG Errors......Page 455
Local Name Can’t Be Looked Up......Page 456
Remote Names Can’t Be Looked Up......Page 457
Wrong or Inconsistent Answer......Page 458
rlogin and rsh to Host Fails Access Check......Page 459
Old delegation information......Page 460
What have I got?......Page 461
Shell Script Programming with nslookup......Page 462
Solving This Problem with a Script......Page 463
DNS Message Format......Page 469
Domain Name Compression......Page 470
herror and h_errno......Page 471
res_mkquery......Page 472
res_search......Page 473
res_send......Page 474
The _res Structure......Page 475
The Nameserver Library Routines......Page 477
ns_initparse......Page 478
ns_msg_get_flag......Page 479
ns_name_compress......Page 480
ns_name_uncompress......Page 481
Parsing DNS Responses......Page 482
A Sample Program: check_soa......Page 483
Packet Objects......Page 494
Resource Record Objects......Page 495
A Perl Version of check_soa......Page 496
External, Authoritative DNS Infrastructure......Page 498
Forwarder Infrastructure......Page 502
Internal DNS Infrastructure......Page 504
Operations......Page 505
Keeping Up with DNS and BIND......Page 506
CNAMEs Attached to Interior Nodes......Page 507
CNAMEs Pointing to CNAMEs......Page 508
Multiple CNAME Records......Page 509
Finding Out a Host’s Aliases......Page 510
Wildcards......Page 512
Dial-up Connections......Page 513
Avoiding Dialouts......Page 514
Manual Dial-up with One Host......Page 515
Dial-on-Demand with Multiple Hosts......Page 516
Running Authoritative Nameservers over Dial-on-Demand......Page 517
Network Names and Numbers......Page 518
AFSDB......Page 520
LOC......Page 521
SRV......Page 522
Translating E.164 Numbers into Domain Names......Page 525
The NAPTR Record......Page 526
Internationalized Domain Names......Page 528
DNS and WINS......Page 530
How Windows Uses Dynamic Update......Page 532
Secure Dynamic Update......Page 535
Handling Windows clients......Page 536
Handling Windows servers......Page 537
Master File Format......Page 541
A address......Page 543
MX mail exchanger......Page 544
PTR pointer......Page 545
SOA start of authority......Page 546
WKS well-known services......Page 547
AFSDB Andrew File System Data Base (experimental)......Page 548
RP Responsible Person (experimental)......Page 549
X25 X.25 address (experimental)......Page 550
PX pointer to X.400/RFC 822 mapping information......Page 551
SRV Locate Services......Page 552
NAPTR Naming Authority Pointer......Page 553
Message Format......Page 554
Header Section Format......Page 555
Question Section Format......Page 556
QTYPE values......Page 557
Answer, Authority, and Additional Section Format......Page 558
Character string......Page 559
Message compression......Page 560
BIND Compatibility Matrix......Page 561
Get the Source Code......Page 562
Use the Proper Compiler Settings......Page 563
Get the Source Code......Page 564
Run configure, and Build Everything......Page 565
Top-Level Domains......Page 567
acl......Page 572
logging......Page 573
options......Page 574
zone......Page 576
Comments......Page 577
key......Page 578
lwres......Page 579
options......Page 580
trusted-keys......Page 583
view......Page 584
zone......Page 586
BIND Resolver Statements......Page 587
nameserver......Page 588
options ndots......Page 589
options rotate (8.2+)......Page 590
BIND 9 Options Statement......Page 591
Definition and Usage......Page 592
Boolean Options......Page 594
Access Control......Page 599
Query Address......Page 601
Zone Transfers......Page 602
Operating System Resource Limits......Page 604
Server Resource Limits......Page 605
Periodic Task Intervals......Page 606
The sortlist Statement......Page 607
Tuning......Page 609
Built-in Server Information Zones......Page 610
Index......Page 613