bind/doc/arm/configuration.rst

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

.. Configuration:

Name Server Configuration
=========================

In this chapter we provide some suggested configurations, along with
guidelines for their use. We suggest reasonable values for certain
option settings.

.. _sample_configuration:

Sample Configurations
---------------------

.. _cache_only_sample:

A Caching-only Name Server
~~~~~~~~~~~~~~~~~~~~~~~~~~

The following sample configuration is appropriate for a caching-only
name server for use by clients internal to a corporation. All queries
from outside clients are refused using the ``allow-query`` option.
The same effect can be achieved using suitable firewall
rules.

::

   // Two corporate subnets we wish to allow queries from.
   acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
   options {
        allow-query { corpnets; };
   };
   // Provide a reverse mapping for the loopback
   // address 127.0.0.1
   zone "0.0.127.in-addr.arpa" {
        type primary;
        file "localhost.rev";
        notify no;
   };

.. _auth_only_sample:

An Authoritative-only Name Server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This sample configuration is for an authoritative-only server that is
the primary server for ``example.com`` and a secondary server for the subdomain
``eng.example.com``.

::

   options {
        // Do not allow access to cache
        allow-query-cache { none; };
        // This is the default
        allow-query { any; };
        // Do not provide recursive service
        recursion no;
   };

   // Provide a reverse mapping for the loopback
   // address 127.0.0.1
   zone "0.0.127.in-addr.arpa" {
        type primary;
        file "localhost.rev";
        notify no;
   };
   // We are the primary server for example.com
   zone "example.com" {
        type primary;
        file "example.com.db";
        // IP addresses of secondary servers allowed to
        // transfer example.com
        allow-transfer {
         192.168.4.14;
         192.168.5.53;
        };
   };
   // We are a secondary server for eng.example.com
   zone "eng.example.com" {
        type secondary;
        file "eng.example.com.bk";
        // IP address of eng.example.com primary server
        primaries { 192.168.4.12; };
   };

.. _load_balancing:

Load Balancing
--------------

A primitive form of load balancing can be achieved in the DNS by using
multiple records (such as multiple A records) for one name.

For example, assuming three HTTP servers with network addresses of
10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following
means that clients will connect to each machine one-third of the time:

+-----------+------+----------+----------+----------------------------+
| Name      | TTL  | CLASS    | TYPE     | Resource Record (RR) Data  |
+-----------+------+----------+----------+----------------------------+
| www       | 600  |   IN     |   A      |   10.0.0.1                 |
+-----------+------+----------+----------+----------------------------+
|           | 600  |   IN     |   A      |   10.0.0.2                 |
+-----------+------+----------+----------+----------------------------+
|           | 600  |   IN     |   A      |   10.0.0.3                 |
+-----------+------+----------+----------+----------------------------+

When a resolver queries for these records, BIND rotates them and
responds to the query with the records in a different order. In the
example above, clients randomly receive records in the order 1, 2,
3; 2, 3, 1; and 3, 1, 2. Most clients use the first record returned
and discard the rest.

For more detail on ordering responses, check the ``rrset-order``
sub-statement in the ``options`` statement; see :ref:`rrset_ordering`.

.. _ns_operations:

Name Server Operations
----------------------

.. _tools:

Tools for Use With the Name Server Daemon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This section describes several indispensable diagnostic, administrative, 
and monitoring tools available to the system administrator for
controlling and debugging the name server daemon.

.. _diagnostic_tools:

Diagnostic Tools
^^^^^^^^^^^^^^^^

The ``dig``, ``host``, and ``nslookup`` programs are all command-line
tools for manually querying name servers. They differ in style and
output format.

``dig``
   ``dig`` is the most versatile and complete of these lookup tools. It
   has two modes: simple interactive mode for a single query, and batch
   mode, which executes a query for each in a list of several query
   lines. All query options are accessible from the command line.

   For more information and a list of available commands and options,
   see :ref:`man_dig`.

``host``
   The ``host`` utility emphasizes simplicity and ease of use. By
   default, it converts between host names and Internet addresses, but
   its functionality can be extended with the use of options.

   For more information and a list of available commands and options,
   see :ref:`man_host`.

``nslookup``
   ``nslookup`` has two modes: interactive and non-interactive.
   Interactive mode allows the user to query name servers for
   information about various hosts and domains, or to print a list of
   hosts in a domain. Non-interactive mode is used to print just the
   name and requested information for a host or domain.

   Due to its arcane user interface and frequently inconsistent
   behavior, we do not recommend the use of ``nslookup``. Use ``dig``
   instead.

.. _admin_tools:

Administrative Tools
^^^^^^^^^^^^^^^^^^^^

Administrative tools play an integral part in the management of a
server.

``named-checkconf``
   The ``named-checkconf`` program checks the syntax of a ``named.conf``
   file.

   For more information and a list of available commands and options,
   see :ref:`man_named-checkconf`.

``named-checkzone``
   The ``named-checkzone`` program checks a zone file for syntax and
   consistency.

   For more information and a list of available commands and options,
   see :ref:`man_named-checkzone`.

``named-compilezone``
   This tool is similar to ``named-checkzone`` but it always dumps the zone content
   to a specified file (typically in a different format).

   For more information and a list of available commands and options,
   see :ref:`man_named-compilezone`.

``rndc``
   The remote name daemon control (``rndc``) program allows the system
   administrator to control the operation of a name server.

   See :ref:`man_rndc` for details of the available ``rndc``
   commands.

   ``rndc`` requires a configuration file, since all communication with
   the server is authenticated with digital signatures that rely on a
   shared secret, and there is no way to provide that secret other than
   with a configuration file. The default location for the ``rndc``
   configuration file is |rndc_conf|, but an alternate location
   can be specified with the :option:`-c <rndc -c>` option. If the configuration file is
   not found, ``rndc`` also looks in |rndc_key| (or whatever
   ``sysconfdir`` was defined when the BIND build was configured). The
   ``rndc.key`` file is generated by running :option:`rndc-confgen -a` as
   described in :ref:`controls_statement_definition_and_usage`.

   The format of the configuration file is similar to that of
   ``named.conf``, but is limited to only four statements: the ``options``,
   ``key``, ``server``, and ``include`` statements. These statements are
   what associate the secret keys to the servers with which they are
   meant to be shared. The order of statements is not significant.

   The ``options`` statement has three clauses: ``default-server``,
   ``default-key``, and ``default-port``. ``default-server`` takes a
   host name or address argument and represents the server that is
   contacted if no :option:`-s <rndc -s>` option is provided on the command line.
   ``default-key`` takes the name of a key as its argument, as defined
   by a ``key`` statement. ``default-port`` specifies the port to which
   ``rndc`` should connect if no port is given on the command line or in
   a ``server`` statement.

   The ``key`` statement defines a key to be used by ``rndc`` when
   authenticating with ``named``. Its syntax is identical to the ``key``
   statement in ``named.conf``. The keyword ``key`` is followed by a key
   name, which must be a valid domain name, though it need not actually
   be hierarchical; thus, a string like ``rndc_key`` is a valid name.
   The ``key`` statement has two clauses: ``algorithm`` and ``secret``.
   While the configuration parser accepts any string as the argument
   to ``algorithm``, currently only the strings ``hmac-md5``,
   ``hmac-sha1``, ``hmac-sha224``, ``hmac-sha256``,
   ``hmac-sha384``, and ``hmac-sha512`` have any meaning. The secret
   is a Base64-encoded string as specified in :rfc:`3548`.

   The ``server`` statement associates a key defined using the ``key``
   statement with a server. The keyword ``server`` is followed by a host
   name or address. The ``server`` statement has two clauses: ``key``
   and ``port``. The ``key`` clause specifies the name of the key to be
   used when communicating with this server, and the ``port`` clause can
   be used to specify the port ``rndc`` should connect to on the server.

   A sample minimal configuration file is as follows:

   ::

      key rndc_key {
           algorithm "hmac-sha256";
           secret
             "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
      };
      options {
           default-server 127.0.0.1;
           default-key    rndc_key;
      };

   This file, if installed as |rndc_conf|, allows the
   command:

   :option:`rndc reload`

   to connect to 127.0.0.1 port 953 and causes the name server to reload,
   if a name server on the local machine is running with the following
   controls statements:

   ::

      controls {
          inet 127.0.0.1
              allow { localhost; } keys { rndc_key; };
      };

   and it has an identical key statement for ``rndc_key``.

   Running the ``rndc-confgen`` program conveniently creates an
   ``rndc.conf`` file, and also displays the corresponding
   ``controls`` statement needed to add to ``named.conf``.
   Alternatively, it is possible to run :option:`rndc-confgen -a` to set up an
   ``rndc.key`` file and not modify ``named.conf`` at all.

Signals
~~~~~~~

Certain Unix signals cause the name server to take specific actions, as
described in the following table. These signals can be sent using the
``kill`` command.

+--------------+-------------------------------------------------------+
| ``SIGHUP``   | Causes the server to read ``named.conf`` and reload   |
|              | the database.                                         |
+--------------+-------------------------------------------------------+
| ``SIGTERM``  | Causes the server to clean up and exit.               |
+--------------+-------------------------------------------------------+
| ``SIGINT``   | Causes the server to clean up and exit.               |
+--------------+-------------------------------------------------------+

.. include:: plugins.rst