mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 07:35:26 +00:00
Code Issues Releases Wiki Activity

Merge branch '3169-arm-restructuring' into 'main'

Browse Source 
Restructure ARM

Closes #1223

See merge request isc-projects/bind9!6156
This commit is contained in:
Petr Špaček
2022-05-11 09:01:01 +00:00
parent 2abfadd05a 8a3c4cbcdd
commit 7037253e12
59 changed files with 3804 additions and 1799 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.reuse/dep5
View File

@@ -82,6 +82,8 @@ Files: **/*.after*
cocci/*.cocci cocci/*.cocci
cocci/*.disabled cocci/*.disabled
cocci/*.spatch cocci/*.spatch
doc/arm/*.dia
doc/arm/*.png
doc/arm/isc-logo.pdf doc/arm/isc-logo.pdf
doc/arm/requirements.txt doc/arm/requirements.txt
doc/man/*.1in doc/man/*.1in

68
doc/arm/Makefile.am
View File

@@ -2,31 +2,65 @@ include $(top_srcdir)/Makefile.top
include $(top_srcdir)/Makefile.docs include $(top_srcdir)/Makefile.docs
EXTRA_DIST = \ EXTRA_DIST = \
advanced.inc.rst \
build.inc.rst \
catz.inc.rst \
chapter10.rst \
chapter1.rst \
chapter2.rst \
chapter3.rst \
chapter4.rst \
chapter5.rst \
chapter6.rst \
chapter7.rst \
chapter9.rst \
config-auth.inc.rst \
config-intro.inc.rst \
config-resolve.inc.rst \
conf.py \ conf.py \
isc-logo.pdf \ dlz.inc.rst \
advanced.rst \ dns-ops.inc.rst \
build.rst \
catz.rst \
configuration.rst \
dlz.rst \
dnssec-guide.rst \ dnssec-guide.rst \
dnssec.rst \ dnssec.inc.rst \
dyndb.rst \ dns-security-overview.dia \
dns-security-overview.png \
dns-servers.dia \
dns-servers.png \
dns-tree.dia \
dns-tree.png \
dyndb.inc.rst \
general.rst \ general.rst \
history.rst \ history.rst \
index.rst \ index.rst \
introduction.rst \ intro-dns-bind.inc.rst \
logging-categories.rst \ introduction.inc.rst \
managed-keys.rst \ intro-security.inc.rst \
isc-logo.pdf \
logging-categories.inc.rst \
managed-keys.inc.rst \
manpages.rst \ manpages.rst \
name-resolution.dia \
name-resolution.png \
notes.rst \ notes.rst \
pkcs11.rst \ pkcs11.inc.rst \
platforms.rst \ platforms.inc.rst \
plugins.rst \ plugins.inc.rst \
primary-secondary.dia \
primary-secondary.png \
recursive-query.dia \
recursive-query.png \
reference.rst \ reference.rst \
requirements.rst \ requirements.inc.rst \
security.rst \ requirements.txt \
troubleshooting.rst \ resolver-forward.dia \
resolver-forward.png \
rpz.inc.rst \
security.inc.rst \
sig0.inc.rst \
tkey.inc.rst \
troubleshooting.inc.rst \
tsig.inc.rst \
zones.inc.rst \
../dnssec-guide \ ../dnssec-guide \
../misc/acl.grammar.rst \ ../misc/acl.grammar.rst \
../misc/controls.grammar.rst \ ../misc/controls.grammar.rst \

401
doc/arm/advanced.inc.rst Normal file
View File

@@ -0,0 +1,401 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _advanced:
Advanced Configurations
=======================
.. _dynamic_update:
Dynamic Update
--------------
Dynamic update is a method for adding, replacing, or deleting records in
a primary server by sending it a special form of DNS messages. The format
and meaning of these messages is specified in :rfc:`2136`.
Dynamic update is enabled by including an ``allow-update`` or an
``update-policy`` clause in the ``zone`` statement.
If the zone's ``update-policy`` is set to ``local``, updates to the zone
are permitted for the key ``local-ddns``, which is generated by
:iscman:`named` at startup. See :ref:`dynamic_update_policies` for more details.
Dynamic updates using Kerberos-signed requests can be made using the
TKEY/GSS protocol, either by setting the ``tkey-gssapi-keytab`` option
or by setting both the ``tkey-gssapi-credential`` and
``tkey-domain`` options. Once enabled, Kerberos-signed requests are
matched against the update policies for the zone, using the Kerberos
principal as the signer for the request.
Updating of secure zones (zones using DNSSEC) follows :rfc:`3007`: RRSIG,
NSEC, and NSEC3 records affected by updates are automatically regenerated
by the server using an online zone key. Update authorization is based on
transaction signatures and an explicit server policy.
.. _journal:
The Journal File
~~~~~~~~~~~~~~~~
All changes made to a zone using dynamic update are stored in the zone's
journal file. This file is automatically created by the server when the
first dynamic update takes place. The name of the journal file is formed
by appending the extension ``.jnl`` to the name of the corresponding
zone file unless specifically overridden. The journal file is in a
binary format and should not be edited manually.
The server also occasionally writes ("dumps") the complete contents
of the updated zone to its zone file. This is not done immediately after
each dynamic update because that would be too slow when a large zone is
updated frequently. Instead, the dump is delayed by up to 15 minutes,
allowing additional updates to take place. During the dump process,
transient files are created with the extensions ``.jnw`` and
``.jbk``; under ordinary circumstances, these are removed when the
dump is complete, and can be safely ignored.
When a server is restarted after a shutdown or crash, it replays the
journal file to incorporate into the zone any updates that took place
after the last zone dump.
Changes that result from incoming incremental zone transfers are also
journaled in a similar way.
The zone files of dynamic zones cannot normally be edited by hand
because they are not guaranteed to contain the most recent dynamic
changes; those are only in the journal file. The only way to ensure
that the zone file of a dynamic zone is up-to-date is to run
:option:`rndc stop`.
To make changes to a dynamic zone manually, follow these steps:
first, disable dynamic updates to the zone using
:option:`rndc freeze zone <rndc freeze>`. This updates the zone file with the
changes stored in its ``.jnl`` file. Then, edit the zone file. Finally, run
:option:`rndc thaw zone <rndc thaw>` to reload the changed zone and re-enable dynamic
updates.
:option:`rndc sync zone <rndc sync>` updates the zone file with changes from the
journal file without stopping dynamic updates; this may be useful for
viewing the current zone state. To remove the ``.jnl`` file after
updating the zone file, use :option:`rndc sync -clean <rndc sync>`.
.. _incremental_zone_transfers:
Incremental Zone Transfers (IXFR)
---------------------------------
The incremental zone transfer (IXFR) protocol is a way for secondary servers
to transfer only changed data, instead of having to transfer an entire
zone. The IXFR protocol is specified in :rfc:`1995`.
When acting as a primary server, BIND 9 supports IXFR for those zones where the
necessary change history information is available. These include primary
zones maintained by dynamic update and secondary zones whose data was
obtained by IXFR. For manually maintained primary zones, and for secondary
zones obtained by performing a full zone transfer (AXFR), IXFR is
supported only if the option ``ixfr-from-differences`` is set to
``yes``.
When acting as a secondary server, BIND 9 attempts to use IXFR unless it is
explicitly disabled. For more information about disabling IXFR, see the
description of the ``request-ixfr`` clause of the ``server`` statement.
When a secondary server receives a zone via AXFR, it creates a new copy of the
zone database and then swaps it into place; during the loading process, queries
continue to be served from the old database with no interference. When receiving
a zone via IXFR, however, changes are applied to the running zone, which may
degrade query performance during the transfer. If a server receiving an IXFR
request determines that the response size would be similar in size to an AXFR
response, it may wish to send AXFR instead. The threshold at which this
determination is made can be configured using the
``max-ixfr-ratio`` option.
.. _split_dns:
Split DNS
---------
Setting up different views of the DNS space to internal
and external resolvers is usually referred to as a *split DNS* setup.
There are several reasons an organization might want to set up its DNS
this way.
One common reason to use split DNS is to hide
"internal" DNS information from "external" clients on the Internet.
There is some debate as to whether this is actually useful.
Internal DNS information leaks out in many ways (via email headers, for
example) and most savvy "attackers" can find the information they need
using other means. However, since listing addresses of internal servers
that external clients cannot possibly reach can result in connection
delays and other annoyances, an organization may choose to use split
DNS to present a consistent view of itself to the outside world.
Another common reason for setting up a split DNS system is to allow
internal networks that are behind filters or in :rfc:`1918` space (reserved
IP space, as documented in :rfc:`1918`) to resolve DNS on the Internet.
Split DNS can also be used to allow mail from outside back into the
internal network.
.. _split_dns_sample:
Example Split DNS Setup
~~~~~~~~~~~~~~~~~~~~~~~
Let's say a company named *Example, Inc.* (``example.com``) has several
corporate sites that have an internal network with reserved Internet
Protocol (IP) space and an external demilitarized zone (DMZ), or
"outside" section of a network, that is available to the public.
Example, Inc. wants its internal clients to be able to resolve
external hostnames and to exchange mail with people on the outside. The
company also wants its internal resolvers to have access to certain
internal-only zones that are not available at all outside of the
internal network.
To accomplish this, the company sets up two sets of name
servers. One set is on the inside network (in the reserved IP
space) and the other set is on bastion hosts, which are "proxy"
hosts in the DMZ that can talk to both sides of its network.
The internal servers are configured to forward all queries, except
queries for ``site1.internal``, ``site2.internal``,
``site1.example.com``, and ``site2.example.com``, to the servers in the
DMZ. These internal servers have complete sets of information for
``site1.example.com``, ``site2.example.com``, ``site1.internal``, and
``site2.internal``.
To protect the ``site1.internal`` and ``site2.internal`` domains, the
internal name servers must be configured to disallow all queries to
these domains from any external hosts, including the bastion hosts.
The external servers, which are on the bastion hosts, are configured
to serve the "public" version of the ``site1.example.com`` and ``site2.example.com``
zones. This could include things such as the host records for public
servers (``www.example.com`` and ``ftp.example.com``) and mail exchange
(MX) records (``a.mx.example.com`` and ``b.mx.example.com``).
In addition, the public ``site1.example.com`` and ``site2.example.com`` zones should
have special MX records that contain wildcard (``*``) records pointing to
the bastion hosts. This is needed because external mail servers
have no other way of determining how to deliver mail to those internal
hosts. With the wildcard records, the mail is delivered to the
bastion host, which can then forward it on to internal hosts.
Here's an example of a wildcard MX record:
::
* IN MX 10 external1.example.com.
Now that they accept mail on behalf of anything in the internal network,
the bastion hosts need to know how to deliver mail to internal
hosts. The resolvers on the bastion
hosts need to be configured to point to the internal name servers
for DNS resolution.
Queries for internal hostnames are answered by the internal servers,
and queries for external hostnames are forwarded back out to the DNS
servers on the bastion hosts.
For all of this to work properly, internal clients need to be
configured to query *only* the internal name servers for DNS queries.
This could also be enforced via selective filtering on the network.
If everything has been set properly, Example, Inc.'s internal clients
are now able to:
- Look up any hostnames in the ``site1.example.com`` and ``site2.example.com``
zones.
- Look up any hostnames in the ``site1.internal`` and
``site2.internal`` domains.
- Look up any hostnames on the Internet.
- Exchange mail with both internal and external users.
Hosts on the Internet are able to:
- Look up any hostnames in the ``site1.example.com`` and ``site2.example.com``
zones.
- Exchange mail with anyone in the ``site1.example.com`` and ``site2.example.com``
zones.
Here is an example configuration for the setup just described above.
Note that this is only configuration information; for information on how
to configure the zone files, see :ref:`sample_configuration`.
Internal DNS server config:
::
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
acl externals { bastion-ips-go-here; };
options {
...
...
forward only;
// forward to external servers
forwarders {
bastion-ips-go-here;
};
// sample allow-transfer (no one)
allow-transfer { none; };
// restrict query access
allow-query { internals; externals; };
// restrict recursion
allow-recursion { internals; };
...
...
};
// sample primary zone
zone "site1.example.com" {
type primary;
file "m/site1.example.com";
// do normal iterative resolution (do not forward)
forwarders { };
allow-query { internals; externals; };
allow-transfer { internals; };
};
// sample secondary zone
zone "site2.example.com" {
type secondary;
file "s/site2.example.com";
primaries { 172.16.72.3; };
forwarders { };
allow-query { internals; externals; };
allow-transfer { internals; };
};
zone "site1.internal" {
type primary;
file "m/site1.internal";
forwarders { };
allow-query { internals; };
allow-transfer { internals; }
};
zone "site2.internal" {
type secondary;
file "s/site2.internal";
primaries { 172.16.72.3; };
forwarders { };
allow-query { internals };
allow-transfer { internals; }
};
External (bastion host) DNS server configuration:
::
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
acl externals { bastion-ips-go-here; };
options {
...
...
// sample allow-transfer (no one)
allow-transfer { none; };
// default query access
allow-query { any; };
// restrict cache access
allow-query-cache { internals; externals; };
// restrict recursion
allow-recursion { internals; externals; };
...
...
};
// sample secondary zone
zone "site1.example.com" {
type primary;
file "m/site1.foo.com";
allow-transfer { internals; externals; };
};
zone "site2.example.com" {
type secondary;
file "s/site2.foo.com";
primaries { another_bastion_host_maybe; };
allow-transfer { internals; externals; }
};
In the ``resolv.conf`` (or equivalent) on the bastion host(s):
::
search ...
nameserver 172.16.72.2
nameserver 172.16.72.3
nameserver 172.16.72.4
.. _ipv6:
IPv6 Support in BIND 9
----------------------
BIND 9 fully supports all currently defined forms of IPv6 name-to-address
and address-to-name lookups. It also uses IPv6 addresses to
make queries when running on an IPv6-capable system.
For forward lookups, BIND 9 supports only AAAA records. :rfc:`3363`
deprecated the use of A6 records, and client-side support for A6 records
was accordingly removed from BIND 9. However, authoritative BIND 9 name
servers still load zone files containing A6 records correctly, answer
queries for A6 records, and accept zone transfer for a zone containing
A6 records.
For IPv6 reverse lookups, BIND 9 supports the traditional "nibble"
format used in the ``ip6.arpa`` domain, as well as the older, deprecated
``ip6.int`` domain. Older versions of BIND 9 supported the "binary label"
(also known as "bitstring") format, but support of binary labels has
been completely removed per :rfc:`3363`. Many applications in BIND 9 do not
understand the binary label format at all anymore, and return an
error if one is given. In particular, an authoritative BIND 9 name server will
not load a zone file containing binary labels.
Address Lookups Using AAAA Records
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the
deprecated A6 record, specifies the entire IPv6 address in a single
record. For example:
::
$ORIGIN example.com.
host 3600 IN AAAA 2001:db8::1
Use of IPv4-in-IPv6 mapped addresses is not recommended. If a host has
an IPv4 address, use an A record, not a AAAA, with
``::ffff:192.168.42.1`` as the address.
Address-to-Name Lookups Using Nibble Format
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When looking up an address in nibble format, the address components are
simply reversed, just as in IPv4, and ``ip6.arpa.`` is appended to the
resulting name. For example, the following commands produce a reverse name
lookup for a host with address ``2001:db8::1``:
::
$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
host.example.com. )

842
doc/arm/advanced.rst
View File

@@ -1,842 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. Advanced:
Advanced DNS Features
=====================
.. _notify:
Notify
------
DNS NOTIFY is a mechanism that allows primary servers to notify their
secondary servers of changes to a zone's data. In response to a ``NOTIFY``
from a primary server, the secondary checks to see that its version of
the zone is the current version and, if not, initiates a zone transfer.
For more information about DNS ``NOTIFY``, see the description of the
``notify`` option in :ref:`boolean_options` and the
description of the zone option ``also-notify`` in :ref:`zone_transfers`.
The ``NOTIFY`` protocol is specified in :rfc:`1996`.
.. note::
As a secondary zone can also be a primary to other secondaries, :iscman:`named`, by
default, sends ``NOTIFY`` messages for every zone it loads.
Specifying ``notify primary-only;`` causes :iscman:`named` to only send
``NOTIFY`` for primary zones that it loads.
.. _dynamic_update:
Dynamic Update
--------------
Dynamic update is a method for adding, replacing, or deleting records in
a primary server by sending it a special form of DNS messages. The format
and meaning of these messages is specified in :rfc:`2136`.
Dynamic update is enabled by including an ``allow-update`` or an
``update-policy`` clause in the ``zone`` statement.
If the zone's ``update-policy`` is set to ``local``, updates to the zone
are permitted for the key ``local-ddns``, which is generated by
:iscman:`named` at startup. See :ref:`dynamic_update_policies` for more details.
Dynamic updates using Kerberos-signed requests can be made using the
TKEY/GSS protocol, either by setting the ``tkey-gssapi-keytab`` option
or by setting both the ``tkey-gssapi-credential`` and
``tkey-domain`` options. Once enabled, Kerberos-signed requests are
matched against the update policies for the zone, using the Kerberos
principal as the signer for the request.
Updating of secure zones (zones using DNSSEC) follows :rfc:`3007`: RRSIG,
NSEC, and NSEC3 records affected by updates are automatically regenerated
by the server using an online zone key. Update authorization is based on
transaction signatures and an explicit server policy.
.. _journal:
The Journal File
~~~~~~~~~~~~~~~~
All changes made to a zone using dynamic update are stored in the zone's
journal file. This file is automatically created by the server when the
first dynamic update takes place. The name of the journal file is formed
by appending the extension ``.jnl`` to the name of the corresponding
zone file unless specifically overridden. The journal file is in a
binary format and should not be edited manually.
The server also occasionally writes ("dumps") the complete contents
of the updated zone to its zone file. This is not done immediately after
each dynamic update because that would be too slow when a large zone is
updated frequently. Instead, the dump is delayed by up to 15 minutes,
allowing additional updates to take place. During the dump process,
transient files are created with the extensions ``.jnw`` and
``.jbk``; under ordinary circumstances, these are removed when the
dump is complete, and can be safely ignored.
When a server is restarted after a shutdown or crash, it replays the
journal file to incorporate into the zone any updates that took place
after the last zone dump.
Changes that result from incoming incremental zone transfers are also
journaled in a similar way.
The zone files of dynamic zones cannot normally be edited by hand
because they are not guaranteed to contain the most recent dynamic
changes; those are only in the journal file. The only way to ensure
that the zone file of a dynamic zone is up-to-date is to run
:option:`rndc stop`.
To make changes to a dynamic zone manually, follow these steps:
first, disable dynamic updates to the zone using
:option:`rndc freeze zone <rndc freeze>`. This updates the zone file with the
changes stored in its ``.jnl`` file. Then, edit the zone file. Finally, run
:option:`rndc thaw zone <rndc thaw>` to reload the changed zone and re-enable dynamic
updates.
:option:`rndc sync zone <rndc sync>` updates the zone file with changes from the
journal file without stopping dynamic updates; this may be useful for
viewing the current zone state. To remove the ``.jnl`` file after
updating the zone file, use :option:`rndc sync -clean <rndc sync>`.
.. _incremental_zone_transfers:
Incremental Zone Transfers (IXFR)
---------------------------------
The incremental zone transfer (IXFR) protocol is a way for secondary servers
to transfer only changed data, instead of having to transfer an entire
zone. The IXFR protocol is specified in :rfc:`1995`.
When acting as a primary server, BIND 9 supports IXFR for those zones where the
necessary change history information is available. These include primary
zones maintained by dynamic update and secondary zones whose data was
obtained by IXFR. For manually maintained primary zones, and for secondary
zones obtained by performing a full zone transfer (AXFR), IXFR is
supported only if the option ``ixfr-from-differences`` is set to
``yes``.
When acting as a secondary server, BIND 9 attempts to use IXFR unless it is
explicitly disabled. For more information about disabling IXFR, see the
description of the ``request-ixfr`` clause of the ``server`` statement.
When a secondary server receives a zone via AXFR, it creates a new copy of the
zone database and then swaps it into place; during the loading process, queries
continue to be served from the old database with no interference. When receiving
a zone via IXFR, however, changes are applied to the running zone, which may
degrade query performance during the transfer. If a server receiving an IXFR
request determines that the response size would be similar in size to an AXFR
response, it may wish to send AXFR instead. The threshold at which this
determination is made can be configured using the
``max-ixfr-ratio`` option.
.. _split_dns:
Split DNS
---------
Setting up different views of the DNS space to internal
and external resolvers is usually referred to as a *split DNS* setup.
There are several reasons an organization might want to set up its DNS
this way.
One common reason to use split DNS is to hide
"internal" DNS information from "external" clients on the Internet.
There is some debate as to whether this is actually useful.
Internal DNS information leaks out in many ways (via email headers, for
example) and most savvy "attackers" can find the information they need
using other means. However, since listing addresses of internal servers
that external clients cannot possibly reach can result in connection
delays and other annoyances, an organization may choose to use split
DNS to present a consistent view of itself to the outside world.
Another common reason for setting up a split DNS system is to allow
internal networks that are behind filters or in :rfc:`1918` space (reserved
IP space, as documented in :rfc:`1918`) to resolve DNS on the Internet.
Split DNS can also be used to allow mail from outside back into the
internal network.
.. _split_dns_sample:
Example Split DNS Setup
~~~~~~~~~~~~~~~~~~~~~~~
Let's say a company named *Example, Inc.* (``example.com``) has several
corporate sites that have an internal network with reserved Internet
Protocol (IP) space and an external demilitarized zone (DMZ), or
"outside" section of a network, that is available to the public.
Example, Inc. wants its internal clients to be able to resolve
external hostnames and to exchange mail with people on the outside. The
company also wants its internal resolvers to have access to certain
internal-only zones that are not available at all outside of the
internal network.
To accomplish this, the company sets up two sets of name
servers. One set is on the inside network (in the reserved IP
space) and the other set is on bastion hosts, which are "proxy"
hosts in the DMZ that can talk to both sides of its network.
The internal servers are configured to forward all queries, except
queries for ``site1.internal``, ``site2.internal``,
``site1.example.com``, and ``site2.example.com``, to the servers in the
DMZ. These internal servers have complete sets of information for
``site1.example.com``, ``site2.example.com``, ``site1.internal``, and
``site2.internal``.
To protect the ``site1.internal`` and ``site2.internal`` domains, the
internal name servers must be configured to disallow all queries to
these domains from any external hosts, including the bastion hosts.
The external servers, which are on the bastion hosts, are configured
to serve the "public" version of the ``site1.example.com`` and ``site2.example.com``
zones. This could include things such as the host records for public
servers (``www.example.com`` and ``ftp.example.com``) and mail exchange
(MX) records (``a.mx.example.com`` and ``b.mx.example.com``).
In addition, the public ``site1.example.com`` and ``site2.example.com`` zones should
have special MX records that contain wildcard (``*``) records pointing to
the bastion hosts. This is needed because external mail servers
have no other way of determining how to deliver mail to those internal
hosts. With the wildcard records, the mail is delivered to the
bastion host, which can then forward it on to internal hosts.
Here's an example of a wildcard MX record:
::
* IN MX 10 external1.example.com.
Now that they accept mail on behalf of anything in the internal network,
the bastion hosts need to know how to deliver mail to internal
hosts. The resolvers on the bastion
hosts need to be configured to point to the internal name servers
for DNS resolution.
Queries for internal hostnames are answered by the internal servers,
and queries for external hostnames are forwarded back out to the DNS
servers on the bastion hosts.
For all of this to work properly, internal clients need to be
configured to query *only* the internal name servers for DNS queries.
This could also be enforced via selective filtering on the network.
If everything has been set properly, Example, Inc.'s internal clients
are now able to:
- Look up any hostnames in the ``site1.example.com`` and ``site2.example.com``
zones.
- Look up any hostnames in the ``site1.internal`` and
``site2.internal`` domains.
- Look up any hostnames on the Internet.
- Exchange mail with both internal and external users.
Hosts on the Internet are able to:
- Look up any hostnames in the ``site1.example.com`` and ``site2.example.com``
zones.
- Exchange mail with anyone in the ``site1.example.com`` and ``site2.example.com``
zones.
Here is an example configuration for the setup just described above.
Note that this is only configuration information; for information on how
to configure the zone files, see :ref:`sample_configuration`.
Internal DNS server config:
::
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
acl externals { bastion-ips-go-here; };
options {
...
...
forward only;
// forward to external servers
forwarders {
bastion-ips-go-here;
};
// sample allow-transfer (no one)
allow-transfer { none; };
// restrict query access
allow-query { internals; externals; };
// restrict recursion
allow-recursion { internals; };
...
...
};
// sample primary zone
zone "site1.example.com" {
type primary;
file "m/site1.example.com";
// do normal iterative resolution (do not forward)
forwarders { };
allow-query { internals; externals; };
allow-transfer { internals; };
};
// sample secondary zone
zone "site2.example.com" {
type secondary;
file "s/site2.example.com";
primaries { 172.16.72.3; };
forwarders { };
allow-query { internals; externals; };
allow-transfer { internals; };
};
zone "site1.internal" {
type primary;
file "m/site1.internal";
forwarders { };
allow-query { internals; };
allow-transfer { internals; }
};
zone "site2.internal" {
type secondary;
file "s/site2.internal";
primaries { 172.16.72.3; };
forwarders { };
allow-query { internals };
allow-transfer { internals; }
};
External (bastion host) DNS server configuration:
::
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
acl externals { bastion-ips-go-here; };
options {
...
...
// sample allow-transfer (no one)
allow-transfer { none; };
// default query access
allow-query { any; };
// restrict cache access
allow-query-cache { internals; externals; };
// restrict recursion
allow-recursion { internals; externals; };
...
...
};
// sample secondary zone
zone "site1.example.com" {
type primary;
file "m/site1.foo.com";
allow-transfer { internals; externals; };
};
zone "site2.example.com" {
type secondary;
file "s/site2.foo.com";
primaries { another_bastion_host_maybe; };
allow-transfer { internals; externals; }
};
In the ``resolv.conf`` (or equivalent) on the bastion host(s):
::
search ...
nameserver 172.16.72.2
nameserver 172.16.72.3
nameserver 172.16.72.4
.. _tsig:
TSIG
----
TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
messages, originally specified in :rfc:`2845`. It allows DNS messages to be
cryptographically signed using a shared secret. TSIG can be used in any
DNS transaction, as a way to restrict access to certain server functions
(e.g., recursive queries) to authorized clients when IP-based access
control is insufficient or needs to be overridden, or as a way to ensure
message authenticity when it is critical to the integrity of the server,
such as with dynamic UPDATE messages or zone transfers from a primary to
a secondary server.
This section is a guide to setting up TSIG in BIND. It describes the
configuration syntax and the process of creating TSIG keys.
:iscman:`named` supports TSIG for server-to-server communication, and some of
the tools included with BIND support it for sending messages to
:iscman:`named`:
* :ref:`man_nsupdate` supports TSIG via the :option:`-k <nsupdate -k>`, :option:`-l <nsupdate -l>`, and :option:`-y <nsupdate -y>` command-line options, or via the ``key`` command when running interactively.
* :ref:`man_dig` supports TSIG via the :option:`-k <dig -k>` and :option:`-y <dig -y>` command-line options.
Generating a Shared Key
~~~~~~~~~~~~~~~~~~~~~~~
TSIG keys can be generated using the :iscman:`tsig-keygen` command; the output
of the command is a ``key`` directive suitable for inclusion in
:iscman:`named.conf`. The key name, algorithm, and size can be specified by
command-line parameters; the defaults are "tsig-key", HMAC-SHA256, and
256 bits, respectively.
Any string which is a valid DNS name can be used as a key name. For
example, a key to be shared between servers called ``host1`` and ``host2``
could be called "host1-host2.", and this key can be generated using:
::
$ tsig-keygen host1-host2. > host1-host2.key
This key may then be copied to both hosts. The key name and secret must
be identical on both hosts. (Note: copying a shared secret from one
server to another is beyond the scope of the DNS. A secure transport
mechanism should be used: secure FTP, SSL, ssh, telephone, encrypted
email, etc.)
:iscman:`tsig-keygen` can also be run as :iscman:`ddns-confgen`, in which case its
output includes additional configuration text for setting up dynamic DNS
in :iscman:`named`. See :ref:`man_ddns-confgen` for details.
Loading a New Key
~~~~~~~~~~~~~~~~~
For a key shared between servers called ``host1`` and ``host2``, the
following could be added to each server's :iscman:`named.conf` file:
::
key "host1-host2." {
algorithm hmac-sha256;
secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
};
(This is the same key generated above using :iscman:`tsig-keygen`.)
Since this text contains a secret, it is recommended that either
:iscman:`named.conf` not be world-readable, or that the ``key`` directive be
stored in a file which is not world-readable and which is included in
:iscman:`named.conf` via the ``include`` directive.
Once a key has been added to :iscman:`named.conf` and the server has been
restarted or reconfigured, the server can recognize the key. If the
server receives a message signed by the key, it is able to verify
the signature. If the signature is valid, the response is signed
using the same key.
TSIG keys that are known to a server can be listed using the command
:option:`rndc tsig-list`.
Instructing the Server to Use a Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A server sending a request to another server must be told whether to use
a key, and if so, which key to use.
For example, a key may be specified for each server in the ``primaries``
statement in the definition of a secondary zone; in this case, all SOA QUERY
messages, NOTIFY messages, and zone transfer requests (AXFR or IXFR)
are signed using the specified key. Keys may also be specified in
the ``also-notify`` statement of a primary or secondary zone, causing NOTIFY
messages to be signed using the specified key.
Keys can also be specified in a ``server`` directive. Adding the
following on ``host1``, if the IP address of ``host2`` is 10.1.2.3, would
cause *all* requests from ``host1`` to ``host2``, including normal DNS
queries, to be signed using the ``host1-host2.`` key:
::
server 10.1.2.3 {
keys { host1-host2. ;};
};
Multiple keys may be present in the ``keys`` statement, but only the
first one is used. As this directive does not contain secrets, it can be
used in a world-readable file.
Requests sent by ``host2`` to ``host1`` would *not* be signed, unless a
similar ``server`` directive were in ``host2``'s configuration file.
When any server sends a TSIG-signed DNS request, it expects the
response to be signed with the same key. If a response is not signed, or
if the signature is not valid, the response is rejected.
TSIG-Based Access Control
~~~~~~~~~~~~~~~~~~~~~~~~~
TSIG keys may be specified in ACL definitions and ACL directives such as
``allow-query``, ``allow-transfer``, and ``allow-update``. The above key
would be denoted in an ACL element as ``key host1-host2.``
Here is an example of an ``allow-update`` directive using a TSIG key:
::
allow-update { !{ !localnets; any; }; key host1-host2. ;};
This allows dynamic updates to succeed only if the UPDATE request comes
from an address in ``localnets``, *and* if it is signed using the
``host1-host2.`` key.
See :ref:`dynamic_update_policies` for a
discussion of the more flexible ``update-policy`` statement.
Errors
~~~~~~
Processing of TSIG-signed messages can result in several errors:
- If a TSIG-aware server receives a message signed by an unknown key,
the response will be unsigned, with the TSIG extended error code set
to BADKEY.
- If a TSIG-aware server receives a message from a known key but with
an invalid signature, the response will be unsigned, with the TSIG
extended error code set to BADSIG.
- If a TSIG-aware server receives a message with a time outside of the
allowed range, the response will be signed but the TSIG extended
error code set to BADTIME, and the time values will be adjusted so
that the response can be successfully verified.
In all of the above cases, the server returns a response code of
NOTAUTH (not authenticated).
TKEY
----
TKEY (Transaction KEY) is a mechanism for automatically negotiating a
shared secret between two hosts, originally specified in :rfc:`2930`.
There are several TKEY "modes" that specify how a key is to be generated
or assigned. BIND 9 implements only one of these modes: Diffie-Hellman
key exchange. Both hosts are required to have a KEY record with
algorithm DH (though this record is not required to be present in a
zone).
The TKEY process is initiated by a client or server by sending a query
of type TKEY to a TKEY-aware server. The query must include an
appropriate KEY record in the additional section, and must be signed
using either TSIG or SIG(0) with a previously established key. The
server's response, if successful, contains a TKEY record in its
answer section. After this transaction, both participants have
enough information to calculate a shared secret using Diffie-Hellman key
exchange. The shared secret can then be used to sign subsequent
transactions between the two servers.
TSIG keys known by the server, including TKEY-negotiated keys, can be
listed using :option:`rndc tsig-list`.
TKEY-negotiated keys can be deleted from a server using
:option:`rndc tsig-delete`. This can also be done via the TKEY protocol
itself, by sending an authenticated TKEY query specifying the "key
deletion" mode.
SIG(0)
------
BIND partially supports DNSSEC SIG(0) transaction signatures as
specified in :rfc:`2535` and :rfc:`2931`. SIG(0) uses public/private keys to
authenticate messages. Access control is performed in the same manner as with
TSIG keys; privileges can be granted or denied in ACL directives based
on the key name.
When a SIG(0) signed message is received, it is only verified if
the key is known and trusted by the server. The server does not attempt
to recursively fetch or validate the key.
SIG(0) signing of multiple-message TCP streams is not supported.
The only tool shipped with BIND 9 that generates SIG(0) signed messages
is :iscman:`nsupdate`.
.. _DNSSEC:
DNSSEC
------
Cryptographic authentication of DNS information is possible through the
DNS Security ("DNSSEC-bis") extensions, defined in :rfc:`4033`, :rfc:`4034`,
and :rfc:`4035`. This section describes the creation and use of DNSSEC
signed zones.
In order to set up a DNSSEC secure zone, there are a series of steps
which must be followed. BIND 9 ships with several tools that are used in
this process, which are explained in more detail below. In all cases,
the ``-h`` option prints a full list of parameters. Note that the DNSSEC
tools require the keyset files to be in the working directory or the
directory specified by the ``-d`` option.
There must also be communication with the administrators of the parent
and/or child zone to transmit keys. A zone's security status must be
indicated by the parent zone for a DNSSEC-capable resolver to trust its
data. This is done through the presence or absence of a ``DS`` record at
the delegation point.
For other servers to trust data in this zone, they must be
statically configured with either this zone's zone key or the zone key of
another zone above this one in the DNS tree.
.. _generating_dnssec_keys:
Generating Keys
~~~~~~~~~~~~~~~
The :iscman:`dnssec-keygen` program is used to generate keys.
A secure zone must contain one or more zone keys. The zone keys
sign all other records in the zone, as well as the zone keys of any
secure delegated zones. Zone keys must have the same name as the zone, have a
name type of ``ZONE``, and be usable for authentication. It is
recommended that zone keys use a cryptographic algorithm designated as
"mandatory to implement" by the IETF. Currently there are two algorithms,
RSASHA256 and ECDSAP256SHA256; ECDSAP256SHA256 is recommended for
current and future deployments.
The following command generates an ECDSAP256SHA256 key for the
``child.example`` zone:
``dnssec-keygen -a ECDSAP256SHA256 -n ZONE child.example.``
Two output files are produced: ``Kchild.example.+013+12345.key`` and
``Kchild.example.+013+12345.private`` (where 12345 is an example of a
key tag). The key filenames contain the key name (``child.example.``),
the algorithm (5 is RSASHA1, 8 is RSASHA256, 13 is ECDSAP256SHA256, 15 is
ED25519, etc.), and the key tag (12345 in this case). The private key (in
the ``.private`` file) is used to generate signatures, and the public
key (in the ``.key`` file) is used for signature verification.
To generate another key with the same properties but with a different
key tag, repeat the above command.
The :iscman:`dnssec-keyfromlabel` program is used to get a key pair from a
crypto hardware device and build the key files. Its usage is similar to
:iscman:`dnssec-keygen`.
The public keys should be inserted into the zone file by including the
``.key`` files using ``$INCLUDE`` statements.
.. _dnssec_zone_signing:
Signing the Zone
~~~~~~~~~~~~~~~~
The :iscman:`dnssec-signzone` program is used to sign a zone.
Any ``keyset`` files corresponding to secure sub-zones should be
present. The zone signer generates ``NSEC``, ``NSEC3``, and ``RRSIG``
records for the zone, as well as ``DS`` for the child zones if :option:`-g <dnssec-signzone -g>`
is specified. If :option:`-g <dnssec-signzone -g>` is not specified, then DS RRsets for the
secure child zones need to be added manually.
By default, all zone keys which have an available private key are used
to generate signatures. The following command signs the zone, assuming
it is in a file called ``zone.child.example``:
``dnssec-signzone -o child.example zone.child.example``
One output file is produced: ``zone.child.example.signed``. This file
should be referenced by :iscman:`named.conf` as the input file for the zone.
:iscman:`dnssec-signzone` also produces keyset and dsset files. These are used
to provide the parent zone administrators with the ``DNSKEYs`` (or their
corresponding ``DS`` records) that are the secure entry point to the zone.
.. _dnssec_config:
Configuring Servers for DNSSEC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To enable :iscman:`named` to validate answers received from other servers, the
``dnssec-validation`` option must be set to either ``yes`` or ``auto``.
When ``dnssec-validation`` is set to ``auto``, a trust anchor for the
DNS root zone is automatically used. This trust anchor is provided
as part of BIND and is kept up to date using :rfc:`5011` key management.
When ``dnssec-validation`` is set to ``yes``, DNSSEC validation
only occurs if at least one trust anchor has been explicitly configured
in :iscman:`named.conf`, using a ``trust-anchors`` statement (or the
``managed-keys`` and ``trusted-keys`` statements, both deprecated).
When ``dnssec-validation`` is set to ``no``, DNSSEC validation does not
occur.
The default is ``auto`` unless BIND is built with
``configure --disable-auto-validation``, in which case the default is
``yes``.
The keys specified in ``trust-anchors`` are copies of DNSKEY RRs for zones that are
used to form the first link in the cryptographic chain of trust. Keys configured
with the keyword ``static-key`` or ``static-ds`` are loaded directly into the
table of trust anchors, and can only be changed by altering the
configuration. Keys configured with ``initial-key`` or ``initial-ds`` are used
to initialize :rfc:`5011` trust anchor maintenance, and are kept up-to-date
automatically after the first time :iscman:`named` runs.
``trust-anchors`` is described in more detail later in this document.
BIND 9 does not verify signatures on load, so zone keys
for authoritative zones do not need to be specified in the configuration
file.
After DNSSEC is established, a typical DNSSEC configuration looks
something like the following. It has one or more public keys for the
root, which allows answers from outside the organization to be validated.
It also has several keys for parts of the namespace that the
organization controls. These are here to ensure that :iscman:`named` is immune
to compromised security in the DNSSEC components of parent zones.
::
trust-anchors {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
dgxbcDTClU0CRBdiieyLMNzXG3";
/* Key for our organization's forward zone */
example.com. static-ds 54135 5 2 "8EF922C97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D"
/* Key for our reverse zone. */
2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
xOdNax071L18QqZnQQQAVVr+i
LhGTnNGp3HoWQLUIzKrJVZ3zg
gy3WwNT6kZo6c0tszYqbtvchm
gQC8CzKojM/W16i6MG/eafGU3
siaOdS0yOI6BgPsw+YZdzlYMa
IJGf4M4dyoKIhzdZyQ2bYQrjy
Q4LB0lC7aOnsMyYKHHYeRvPxj
IQXmdqgOJGq+vsevG06zW+1xg
YJh9rCIfnm1GX/KMgxLPG2vXT
D/RnLX+D3T3UL7HJYHJhAZD5L
59VvjSPsZJHeDCUyWYrvPZesZ
DIRvhDD52SKvbheeTJUm6Ehkz
ytNN2SN96QRk8j/iI8ib";
};
options {
...
dnssec-validation yes;
};
..
.. note::
None of the keys listed in this example are valid. In particular, the
root key is not valid.
When DNSSEC validation is enabled and properly configured, the resolver
rejects any answers from signed, secure zones which fail to
validate, and returns SERVFAIL to the client.
Responses may fail to validate for any of several reasons, including
missing, expired, or invalid signatures, a key which does not match the
DS RRset in the parent zone, or an insecure response from a zone which,
according to its parent, should have been secure.
.. note::
When the validator receives a response from an unsigned zone that has
a signed parent, it must confirm with the parent that the zone was
intentionally left unsigned. It does this by verifying, via signed
and validated NSEC/NSEC3 records, that the parent zone contains no DS
records for the child.
If the validator *can* prove that the zone is insecure, then the
response is accepted. However, if it cannot, the validator must assume an
insecure response to be a forgery; it rejects the response and logs
an error.
The logged error reads "insecurity proof failed" and "got insecure
response; parent indicates it should be secure."
.. include:: dnssec.rst
.. include:: managed-keys.rst
.. include:: pkcs11.rst
.. include:: dlz.rst
.. include:: dyndb.rst
.. include:: catz.rst
.. _ipv6:
IPv6 Support in BIND 9
----------------------
BIND 9 fully supports all currently defined forms of IPv6 name-to-address
and address-to-name lookups. It also uses IPv6 addresses to
make queries when running on an IPv6-capable system.
For forward lookups, BIND 9 supports only AAAA records. :rfc:`3363`
deprecated the use of A6 records, and client-side support for A6 records
was accordingly removed from BIND 9. However, authoritative BIND 9 name
servers still load zone files containing A6 records correctly, answer
queries for A6 records, and accept zone transfer for a zone containing
A6 records.
For IPv6 reverse lookups, BIND 9 supports the traditional "nibble"
format used in the ``ip6.arpa`` domain, as well as the older, deprecated
``ip6.int`` domain. Older versions of BIND 9 supported the "binary label"
(also known as "bitstring") format, but support of binary labels has
been completely removed per :rfc:`3363`. Many applications in BIND 9 do not
understand the binary label format at all anymore, and return an
error if one is given. In particular, an authoritative BIND 9 name server will
not load a zone file containing binary labels.
Address Lookups Using AAAA Records
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the
deprecated A6 record, specifies the entire IPv6 address in a single
record. For example:
::
$ORIGIN example.com.
host 3600 IN AAAA 2001:db8::1
Use of IPv4-in-IPv6 mapped addresses is not recommended. If a host has
an IPv4 address, use an A record, not a AAAA, with
``::ffff:192.168.42.1`` as the address.
Address-to-Name Lookups Using Nibble Format
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When looking up an address in nibble format, the address components are
simply reversed, just as in IPv4, and ``ip6.arpa.`` is appended to the
resulting name. For example, the following commands produce a reverse name
lookup for a host with address ``2001:db8::1``:
::
$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
host.example.com. )

2
doc/arm/build.rst → doc/arm/build.inc.rst
View File

@@ -9,6 +9,8 @@
.. See the COPYRIGHT file distributed with this work for additional .. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership. .. information regarding copyright ownership.
.. _build_bind:
Building BIND 9 Building BIND 9
--------------- ---------------

0
doc/arm/catz.rst → doc/arm/catz.inc.rst
View File

14
doc/arm/chapter1.rst Normal file
View File

@@ -0,0 +1,14 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. include:: introduction.inc.rst
.. include:: intro-dns-bind.inc.rst
.. include:: intro-security.inc.rst

12
doc/arm/chapter10.rst Normal file
View File

@@ -0,0 +1,12 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. include:: build.inc.rst

13
doc/arm/chapter2.rst Normal file
View File

@@ -0,0 +1,13 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. include:: requirements.inc.rst
.. include:: platforms.inc.rst

17
doc/arm/chapter3.rst Normal file
View File

@@ -0,0 +1,17 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight:: none
.. include:: config-intro.inc.rst
.. include:: config-auth.inc.rst
.. include:: config-resolve.inc.rst
.. include:: zones.inc.rst

13
doc/arm/chapter4.rst Normal file
View File

@@ -0,0 +1,13 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. include:: dns-ops.inc.rst
.. include:: plugins.inc.rst

16
doc/arm/chapter5.rst Normal file
View File

@@ -0,0 +1,16 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. include:: advanced.inc.rst
.. include:: dlz.inc.rst
.. include:: dyndb.inc.rst
.. include:: catz.inc.rst
.. include:: rpz.inc.rst

15
doc/arm/chapter6.rst Normal file
View File

@@ -0,0 +1,15 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. include:: security.inc.rst
.. include:: tsig.inc.rst
.. include:: tkey.inc.rst
.. include:: sig0.inc.rst

14
doc/arm/chapter7.rst Normal file
View File

@@ -0,0 +1,14 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. include:: dnssec.inc.rst
.. include:: managed-keys.inc.rst
.. include:: pkcs11.inc.rst

13
doc/arm/chapter9.rst Normal file
View File

@@ -0,0 +1,13 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. include:: troubleshooting.inc.rst

13
doc/arm/conf.py
View File

@@ -142,18 +142,7 @@ exclude_patterns = [
'_build', '_build',
'Thumbs.db', 'Thumbs.db',
'.DS_Store', '.DS_Store',
'*.grammar.rst', '*.inc.rst'
'*.zoneopts.rst',
'build.rst',
'catz.rst',
'dlz.rst',
'dnssec.rst',
'dyndb.rst',
'logging-categories.rst',
'managed-keys.rst',
'pkcs11.rst',
'platforms.rst',
'plugins.rst'
] ]
# The master toctree document. # The master toctree document.

272
doc/arm/config-auth.inc.rst Normal file
View File

@@ -0,0 +1,272 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _config_auth_samples:
Authoritative Name Servers
--------------------------
These provide authoritative answers to user queries for the zones
they support: for instance, the zone data describing the domain name **example.com**. An
authoritative name server may support one or many zones.
Each zone may be defined as either a **primary** or a **secondary**. A primary zone
reads its zone data directly from a file system. A secondary zone obtains its zone
data from the primary zone using a process called **zone transfer**. Both the primary
and the secondary zones provide authoritative data for their zone; there is no difference
in the answer to a query from a primary or a secondary zone. An authoritative name server
may support any combination of primary and secondary zones.
.. Note:: The terms **primary** and **secondary** do not imply any access
priority. Resolvers (name servers that provide the complete answers to user
queries) are not aware of (and cannot find out) whether an authoritative
answer comes from the primary or secondary name server. Instead, the
resolver uses the list of authoritative servers for the zone (there must be
at least two) and maintains a Round Trip Time (RTT) - the time taken to
respond to the query - for each server in the list. The resolver uses the
lowest-value server (the fastest) as its preferred server for the zone and
continues to do so until its RTT becomes higher than the next slowest in its
list, at which time that one becomes the preferred server.
For reasons of backward compatibility BIND 9 treats "primary" and "master" as
synonyms, as well as "secondary" and "slave."
.. _notify:
The following diagram shows the relationship between the primary and secondary
name servers. The text below explains the process in detail.
.. figure:: primary-secondary.png
:align: center
Authoritative Primary and Secondary Name Servers
The numbers in parentheses in the following text refer to the numbered items in the diagram above.
1. The authoritative primary name server always loads (or reloads) its zone
files from (1) a local or networked filestore.
2. The authoritative secondary name server always loads its zone data from a
primary via a **zone transfer** operation. Zone transfer may use **AXFR**
(complete zone transfer) or **IXFR** (incremental zone transfer), but only
if both primary and secondary name servers support the service. The zone
transfer process (either AXFR or IXFR) works as follows:
a) The secondary name server for the zone reads (3 and 4) the
:ref:`SOA RR<soa_rr>` periodically. The interval is defined by the **refresh**
parameter of the Start of Authority (SOA) RR.
b) The secondary compares the **serial number** parameter of the SOA RR
received from the primary with the serial number in the SOA RR of its
current zone data.
c) If the received serial number is arithmetically greater (higher) than the
current one, the secondary initiates a zone transfer (5) using AXFR or IXFR
(depending on the primary and secondary configuration), using TCP over
port 53 (6).
3. The typically recommended zone refresh times for the SOA RR (the time
interval when the secondary reads or polls the primary for the zone SOA RR)
are multiples of hours to reduce traffic loads. Worst-case zone change
propagation can therefore take extended periods.
4. The optional NOTIFY (:rfc:`1996`) feature (2) is automatically configured;
use the :ref:`notify <notify_st>` statement to turn off the feature.
Whenever the primary loads or reloads a zone, it sends a NOTIFY message to
the configured secondary (or secondaries) and may optionally be configured
to send the NOTIFY message to other hosts using the
:ref:`also-notify<also-notify>` statement. The NOTIFY message simply
indicates to the secondary that the primary has loaded or reloaded the zone.
On receipt of the NOTIFY message, the secondary respons to indicate it has received the NOTIFY and immediately reads the SOA RR
from the primary (as described in section 2 a. above). If the zone file has
changed, propagation is practically immediate.
The authoritative samples all use NOTIFY but identify the statements used, so
that they can be removed if not required.
.. _sample_primary:
Primary Authoritative Name Server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The zone files are unmodified :ref:`from the base samples<base_zone_file>` but
the :iscman:`named.conf` file has been modified as shown:
.. code-block:: c
:linenos:
// authoritative primary named.conf file
// options clause defining the server-wide properties
options {
// all relative paths use this directory as a base
directory "/var";
// version statement for security to avoid hacking known weaknesses
// if the real version number is revealed
version "not currently available";
// This is the default - allows user queries from any IP
allow-query { any; };
// normal server operations may place items in the cache
// this prevents any user query from accessing these items
// only authoritative zone data will be returned
allow-query-cache { none; };
// Do not provide recursive service to user queries
recursion no;
};
// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
channel example_log {
// uses a relative path name and the directory statement to
// expand to /var/log/named/example.log
file "log/named/example.log" versions 3 size 250k;
// only log info and up messages - all others discarded
severity info;
};
category default {
example_log;
};
};
// Provide forward mapping zone for localhost
// (optional)
zone "localhost" {
type primary;
file "master/localhost-forward.db";
notify no;
};
// Provide reverse mapping zone for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type primary;
file "localhost.rev";
notify no;
};
// We are the primary server for example.com
zone "example.com" {
// this is the primary name server for the zone
type primary;
file "example.com";
// this is the default
notify yes;
// IP addresses of secondary servers allowed to
// transfer example.com from this server
allow-transfer {
192.168.4.14;
192.168.5.53;
};
};
The added statements and clauses are commented in the above file.
The :ref:`zone<zone_clause>` clause, and :ref:`allow-query<allow-query>`,
:ref:`allow-query-cache<allow-query-cache>`,
:ref:`allow-transfer<allow-transfer>`, :ref:`file<file>`,
:ref:`notify<notify_st>`, :ref:`recursion<recursion>`, and :ref:`type<type>`
statements are described in detail in the appropriate sections.
.. _sample_secondary:
Secondary Authoritative Name Server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The zone files ``local-host-forward.db`` and ``localhost.rev`` are unmodified
:ref:`from the base samples<base_zone_file>`. The **example.com** zone file is
not required (the zone file is obtained from the primary via zone transfer).
The :iscman:`named.conf` file has been modified as shown:
.. code-block:: c
:linenos:
// authoritative secondary named.conf file
// options clause defining the server-wide properties
options {
// all relative paths use this directory as a base
directory "/var";
// version statement for security to avoid hacking known weaknesses
// if the real version number is revealed
version "not currently available";
// This is the default - allows user queries from any IP
allow-query { any; };
// normal server operations may place items in the cache
// this prevents any user query from accessing these items
// only authoritative zone data will be returned
allow-query-cache { none; };
// Do not provide recursive service to user queries
recursion no;
};
// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
channel example_log {
// uses a relative path name and the directory statement to
// expand to /var/log/named/example.log
file "log/named/example.log" versions 3 size 250k;
// only log info and up messages - all others discarded
severity info;
};
category default {
example_log;
};
};
// Provide forward mapping zone for localhost
// (optional)
zone "localhost" {
type primary;
file "master/localhost-forward.db";
notify no;
};
// Provide reverse mapping zone for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type primary;
file "localhost.rev";
notify no;
};
// We are the secondary server for example.com
zone "example.com" {
// this is a secondary server for the zone
type secondary;
// the file statement here allows the secondary to save
// each zone transfer so that in the event of a program restart
// the zone can be loaded immediately and the server can start
// to respond to queries without waiting for a zone transfer
file "example.com.saved";
// IP address of example.com primary server
primaries { 192.168.254.2; };
};
The statements and clauses added are all commented in the above file.
The :ref:`zone<zone_clause>` clause, and :ref:`allow-query<allow-query>`,
:ref:`allow-query-cache<allow-query-cache>`,
:ref:`allow-transfer<allow-transfer>`, :ref:`file<file>`,
:ref:`notify<notify_st>`, :ref:`primaries<primaries>`,
:ref:`recursion<recursion>`, and :ref:`type<type>` statements are described in
detail in the appropriate sections.
If NOTIFY is not being used, no changes are required in this
:iscman:`named.conf` file, since it is the primary that initiates the NOTIFY
message.
.. note::
Just when the reader thought they understood primary and secondary, things
can get more complicated. A secondary zone can also be a primary to other
secondaries: :iscman:`named`, by default, sends NOTIFY messages for every
zone it loads. Specifying :ref:`notify primary-only;<notify>` in the
:ref:`zone<zone_clause>` clause for the secondary causes :iscman:`named` to
only send NOTIFY messages for primary zones that it loads.

208
doc/arm/config-intro.inc.rst Normal file
View File

@@ -0,0 +1,208 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _configuration:
.. _sample_configuration:
Configurations and Zone Files
=============================
Introduction
------------
BIND 9 uses a single configuration file called :iscman:`named.conf`.
:iscman:`named.conf` is typically located in either /etc/namedb or
/usr/local/etc/namedb.
.. Note:: If :ref:`rndc<ops_rndc>` is being used locally (on the same host
as BIND 9) then an additional file :iscman:`rndc.conf` may be present, though
:iscman:`rndc` operates without this file. If :iscman:`rndc` is being run
from a remote host then an :iscman:`rndc.conf` file must be present as it
defines the link characteristics and properties.
Depending on the functionality of the system, one or more zone files is
required.
The samples given throughout this and subsequent chapters use a standard base
format for both the :iscman:`named.conf` and the zone files for **example.com**. The
intent is for the reader to see the evolution from a common base as features
are added or removed.
.. _base_named_conf:
``named.conf`` Base File
~~~~~~~~~~~~~~~~~~~~~~~~
This file illustrates the typical format and layout style used for
:iscman:`named.conf` and provides a basic logging service, which may be extended
as required by the user.
.. code-block:: c
:linenos:
// base named.conf file
// Recommended that you always maintain a change log in this file as shown here
// options clause defining the server-wide properties
options {
// all relative paths use this directory as a base
directory "/var";
// version statement for security to avoid hacking known weaknesses
// if the real version number is revealed
version "not currently available";
};
// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
channel example_log {
// uses a relative path name and the directory statement to
// expand to /var/log/named/example.log
file "log/named/example.log" versions 3 size 250k;
// only log info and up messages - all others discarded
severity info;
};
category default {
example_log;
};
};
The :ref:`logging<logging_grammar>` and :ref:`options<options_grammar>` clauses
and :ref:`category<the_category_phrase>`, :ref:`channel<channel>`,
:ref:`directory<directory>`, :ref:`file<file>`, and :ref:`severity<severity>`
statements are all described further in the appropriate sections of this ARM.
.. _base_zone_file:
**example.com** base zone file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a complete zone file for the domain **example.com**, which
illustrates a number of common features. Comments in the file explain these
features where appropriate. Zone files consist of :ref:`Resource Records (RR)
<zone_file>`, which describe the zone's characteristics or properties.
.. code-block::
:linenos:
; base zone file for example.com
$TTL 2d ; default TTL for zone
$ORIGIN example.com. ; base domain-name
; Start of Authority RR defining the key characteristics of the zone (domain)
@ IN SOA ns1.example.com. hostmaster.example.com. (
2003080800 ; serial number
12h ; refresh
15m ; update retry
3w ; expiry
2h ; minimum
)
; name server RR for the domain
IN NS ns1.example.com.
; the second name server is external to this zone (domain)
IN NS ns2.example.net.
; mail server RRs for the zone (domain)
3w IN MX 10 mail.example.com.
; the second mail servers is external to the zone (domain)
IN MX 20 mail.example.net.
; domain hosts includes NS and MX records defined above
; plus any others required
; for instance a user query for the A RR of joe.example.com will
; return the IPv4 address 192.168.254.6 from this zone file
ns1 IN A 192.168.254.2
mail IN A 192.168.254.4
joe IN A 192.168.254.6
www IN A 192.168.254.7
; aliases ftp (ftp server) to an external domain
ftp IN CNAME ftp.example.net.
This type of zone file is frequently referred to as a **forward-mapped zone
file**, since it maps domain names to some other value, while a
:ref:`reverse-mapped zone file<ipv4_reverse>` maps an IP address to a domain
name. The zone file is called **example.com** for no good reason except that
it is the domain name of the zone it describes; as always, users are free to
use whatever file-naming convention is appropriate to their needs.
Other Zone Files
~~~~~~~~~~~~~~~~
Depending on the configuration additional zone files may or should be present.
Their format and functionality are briefly described here.
localhost Zone File
~~~~~~~~~~~~~~~~~~~
All end-user systems are shipped with a ``hosts`` file (usually located in
/etc). This file is normally configured to map the name **localhost** (the name
used by applications when they run locally) to the loopback address. It is
argued, reasonably, that a forward-mapped zone file for **localhost** is
therefore not strictly required. This manual does use the BIND 9 distribution
file ``localhost-forward.db`` (normally in /etc/namedb/master or
/usr/local/etc/namedb/master) in all configuration samples for the following
reasons:
1. Many users elect to delete the ``hosts`` file for security reasons (it is a
potential target of serious domain name redirection/poisoning attacks).
2. Systems normally lookup any name (including domain names) using the
``hosts`` file first (if present), followed by DNS. However, the
``nsswitch.conf`` file (typically in /etc) controls this order (normally
**hosts: file dns**), allowing the order to be changed or the **file** value
to be deleted entirely depending on local needs. Unless the BIND
administrator controls this file and knows its values, it is unsafe to
assume that **localhost** is forward-mapped correctly.
3. As a reminder to users that unnecessary queries for **localhost** form a
non-trivial volume of DNS queries on the public network, which affects DNS
performance for all users.
Users may, however, elect at their discretion not to implement this file since,
depending on the operational environment, it may not be essential.
The BIND 9 distribution file ``localhost-forward.db`` format is shown for
completeness and provides for both IPv4 and IPv6 localhost resolution. The zone
(domain) name is **localhost.**
.. code-block::
:linenos:
$TTL 3h
localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
NS localhost.
A 127.0.0.1
AAAA ::1
.. NOTE:: Readers of a certain age or disposition may note the reference in this file to the late,
lamented Douglas Noel Adams.
localhost Reverse-Mapped Zone File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This zone file allows any query requesting the name associated with the
loopback IP (127.0.0.1). This file is required to prevent unnecessary queries
from reaching the public DNS hierarchy. The BIND 9 distribution file
``localhost.rev`` is shown for completeness:
.. code-block::
:linenos:
$TTL 1D
@ IN SOA localhost. root.localhost. (
2007091701 ; serial
30800 ; refresh
7200 ; retry
604800 ; expire
300 ) ; minimum
IN NS localhost.
1 IN PTR localhost.

570
doc/arm/config-resolve.inc.rst Normal file
View File

@@ -0,0 +1,570 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _config_resolver_samples:
Resolver (Caching Name Servers)
-------------------------------
Resolvers handle :ref:`recursive user queries <recursive_query>` and provide
complete answers; that is, they issue one or more :ref:`iterative queries
<iterative_query>` to the DNS hierarchy. Having obtained a complete answer (or
an error), a resolver passes the answer to the user and places it in its cache.
Subsequent user requests for the same query will be answered from the
resolver's cache until the :term:`TTL` of the cached answer has expired, when
it will be flushed from the cache; the next user query that requests the same
information results in a new series of queries to the DNS hierarchy.
Resolvers are frequently referred to by a bewildering variety of names,
including caching name servers, recursive name servers, forwarding resolvers,
area resolvers, and full-service resolvers.
The following diagram shows how resolvers can function in a typical networked
environment:
.. figure:: resolver-forward.png
:align: center
Resolver and Forwarding Resolver
1. End-user systems are all distributed with a local **stub resolver** as a
standard feature. Today, the majority of stub resolvers also provide a local
cache service to speed up user response times.
2. A stub resolver has limited functionality; specifically, it cannot follow
:ref:`referrals<referral>`. When a stub resolver receives a request for a
name from a local program, such as a browser, and the answer is not in its
local cache, it sends a :ref:`recursive user query<recursive_query>` (1) to
a locally configured resolver (5), which may have the answer available in
its cache. If it does not, it issues :ref:`iterative
queries<iterative_query>` (2) to the DNS hierarchy to obtain the answer. The
resolver to which the local system sends the user query is configured, for
Linux and Unix hosts, in ``/etc/resolv.conf``; for Windows users it is
configured or changed via the Control Panel or Settings interface.
3. Alternatively, the user query can be sent to a **forwarding resolver** (4).
Forwarding resolvers on first glance look fairly pointless, since they
appear to be acting as a simple pass-though and, like the stub resolver,
require a full-service resolver (5). However, forwarding resolvers can be
very powerful additions to a network for the following reasons:
a) Cost and Performance. Each **recursive user query** (1) at the forwarding
resolver (4) results in two messages - the query and its answer. The resolver
(5) may have to issue three, four, or more query pairs (2) to get the required
answer. Traffic is reduced dramatically, increasing performance or reducing
cost (if the link is tariffed). Additionally, since the forwarding resolver is
typically shared across multiple hosts, its cache is more likely to contain
answers, again improving user performance.
b) Network Maintenance. Forwarding resolvers (4) can be used to ease the burden
of local administration by providing a single point at which changes to remote
name servers can be managed, rather than having to update all hosts. Thus, all
hosts in a particular network section or area can be configured to point to a
forwarding resolver, which can be configured to stream DNS traffic as desired
and changed over time with minimal effort.
c) Sanitizing Traffic. Especially in larger private networks it may be sensible
to stream DNS traffic using a forwarding resolver structure. The forwarding
resolver (4) may be configured, for example, to handle all in-domain traffic
(relatively safe) and forward all external traffic to a **hardened** resolver
(5).
d) Stealth Networks. Forwarding resolvers are extensively used in :ref:`stealth
or split networks<split_dns_sample>`.
4. Forwarding resolvers (4) can be configured to forward all traffic to a
resolver (5), or to only forward selective traffic (5) while directly
resolving other traffic (3).
.. Attention:: While the diagram above shows **recursive user queries**
arriving via interface (1), there is nothing to stop them from arriving via
interface (2) via the public network. If no limits are placed on the source
IPs that can send such queries, the resolver is termed an **open resolver**.
Indeed, when the world was young this was the way things worked on the
Internet. Much has changed and what seems to be a friendly, generous action
can be used by rogue actors to cause all kinds of problems including
**Denial of Service (DoS)** attacks. Resolvers should always be configured
to limit the IP addresses that can use their services. BIND 9 provides a
number of statements and clauses to simplify defining these IP limits and
configuring a **closed resolver**. The resolver samples given here all
configure closed resolvers using a variety of techniques.
Additional Zone Files
~~~~~~~~~~~~~~~~~~~~~
Root Servers (Hint) Zone File
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Resolvers (although not necessarily forwarding resolvers) need to access the
DNS hierarchy. To do this, they need to know the addresses (IPv4 and/or IPv6)
of the 13 :ref:`root servers<root_servers>`. This is done by the provision of a
root server zone file, which is contained in the standard BIND 9 distribution
as the file ``named.root`` (normally found in /etc/namedb or
/usr/local/namedb). This file may also be obtained from the IANA website
(https://www.iana.org/domains/root/files).
.. Note:: Many distributions rename this file for historical reasons.
Consult the appropriate distribution documentation for the actual file name.
The hint zone file is referenced using the :ref:`type hint;<type>` statement and
a zone (domain) name of "." (the generally silent dot).
.. Note:: The root server IP addresses have been stable for a number of
years and are likely to remain stable for the near future. BIND 9 has a
root-server list in its executable such that even if this file is omitted,
out-of-date, or corrupt BIND 9 can still function. For this reason, many
sample configurations omit the hints file. All the samples given here
include the hints file primarily as a reminder of the functionality of the
configuration, rather than as an absolute necessity.
Private IP Reverse Map Zone Files
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Resolvers are configured to send :ref:`iterative queries<iterative_query>` to
the public DNS hierarchy when the information requested is not in their cache
or not defined in any local zone file. Many networks make extensive use of
private IP addresses (defined by :rfc:`1918`, :rfc:`2193`, :rfc:`5737`, and
:rfc:`6598`). By their nature these IP addresses are forward-mapped in various
user zone files. However, certain applications may issue **reverse map**
queries (mapping an IP address to a name). If the private IP addresses are not
defined in one or more reverse-mapped zone file(s), the resolver sends them to
the DNS hierarchy where they are simply useless traffic, slowing down DNS
responses for all users.
Private IP addresses may be defined using standard :ref:`reverse-mapping
techniques<ipv4_reverse>` or using the
:ref:`empty-zones-enable<empty-zones-enable>` statement. By
default this statement is set to ``empty-zones-enable yes;`` and thus automatically prevents
unnecessary DNS traffic by sending an NXDOMAIN error response (indicating the
name does not exist) to any request. However, some applications may require a
genuine answer to such reverse-mapped requests or they will fail to function.
Mail systems in particular perform reverse DNS queries as a first-line spam
check; in this case a reverse-mapped zone file is essential. The sample
configuration files given here for both the resolver and the forwarding
resolver provide a reverse-mapping zone file for the private IP address
192.168.254.4, which is the mail server address in the :ref:`base zone
file<base_zone_file>`, as an illustration of the reverse-map technique. The
file is named ``192.168.254.rev`` and has a zone name of
**254.168.192.in-addr.arpa**.
.. code-block::
:linenos:
; reverse map zone file for 192.168.254.4 only
$TTL 2d ; 172800 seconds
$ORIGIN 254.168.192.IN-ADDR.ARPA.
@ IN SOA ns1.example.com. hostmaster.example.com. (
2003080800 ; serial number
3h ; refresh
15m ; update retry
3w ; expiry
3h ; nx = nxdomain ttl
)
; only one NS is required for this local file
; and is an out of zone name
IN NS ns1.example.com.
; other IP addresses can be added as required
; this maps 192.168.254.4 as shown
4 IN PTR mail.example.com. ; fully qualified domain name (FQDN)
.. _sample_resolver:
Resolver Configuration
~~~~~~~~~~~~~~~~~~~~~~
The resolver provides :ref:`recursive query support<recursive_query>` to a defined set of IP addresses.
It is therefore a **closed** resolver and cannot be used in wider network attacks.
.. code-block:: c
:linenos:
// resolver named.conf file
// Two corporate subnets we wish to allow queries from
// defined in an acl clause
acl corpnets {
192.168.4.0/24;
192.168.7.0/24;
};
// options clause defining the server-wide properties
options {
// all relative paths use this directory as a base
directory "/var";
// version statement for security to avoid hacking known weaknesses
// if the real version number is revealed
version "not currently available";
// this is the default
recursion yes;
// recursive queries only allowed from these ips
// and references the acl clause
allow-query { corpnets; };
// this ensures that any reverse map for private IPs
// not defined in a zone file will *not* be passed to the public network
// it is the default value
empty-zones-enable yes;
};
// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
channel example_log {
// uses a relative path name and the directory statement to
// expand to /var/log/named/example.log
file "log/named/example.log" versions 3 size 250k;
// only log info and up messages - all others discarded
severity info;
};
category default {
example_log;
};
};
// zone file for the root servers
// discretionary zone (see root server discussion above)
zone "." {
type hint;
file "named.root";
};
// zone file for the localhost forward map
// discretionary zone depending on hosts file (see discussion)
zone "localhost" {
type primary;
file "masters/localhost-forward.db";
notify no;
};
// zone file for the loopback address
// necessary zone
zone "0.0.127.in-addr.arpa" {
type primary;
file "localhost.rev";
notify no;
};
// zone file for local IP reverse map
// discretionary file depending on requirements
zone "254.168.192.in-addr.arpa" {
type primary;
file "192.168.254.rev";
notify no;
};
The :ref:`zone<zone_clause>` and :ref:`acl<acl_grammar>` clauses, and the
:ref:`allow-query<allow-query>`, :ref:`empty-zones-enable<empty-zones-enable>`,
:ref:`file<file>`, :ref:`notify<notify_st>`, :ref:`recursion<recursion>`, and
:ref:`type<type>` statements are described in detail in the appropriate
sections.
As a reminder, the configuration of this resolver does **not** access the DNS
hierarchy (does not use the public network) for any recursive query for which:
1. The answer is already in the cache.
2. The domain name is **localhost** (zone localhost).
3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa).
4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa).
5. Is a reverse-map query for any local IP (``empty-zones-enable``
statement).
All other recursive queries will result in access to the DNS hierarchy to
resolve the query.
.. _sample_forwarding:
Forwarding Resolver Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This forwarding resolver configuration forwards all recursive queries, other
than those for the defined zones and those for which the answer is already in
its cache, to a full-service resolver at the IP address 192.168.250.3, with an
alternative at 192.168.230.27. The forwarding resolver will cache all responses
from these servers. The configuration is closed, in that it defines those IPs
from which it will accept recursive queries.
A second configuration in which selective forwarding occurs :ref:`is also
provided<selective_forward_sample>`.
.. code-block:: c
:linenos:
// forwarding named.conf file
// Two corporate subnets we wish to allow queries from
// defined in an acl clause
acl corpnets {
192.168.4.0/24;
192.168.7.0/24;
};
// options clause defining the server-wide properties
options {
// all relative paths use this directory as a base
directory "/var";
// version statement for security to avoid hacking known weaknesses
// if the real version number is revealed
version "not currently available";
// this is the default
recursion yes;
// recursive queries only allowed from these ips
// and references the acl clause
allow-query { corpnets; };
// this ensures that any reverse map for private IPs
// not defined in a zone file will *not* be passed to the public network
// it is the default value
empty-zones-enable yes;
// this defines the addresses of the resolvers to which queries will be forwarded
forwarders {
192.168.250.3;
192.168.230.27;
};
// indicates all queries will be forwarded other than for defined zones
forward only;
};
// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
channel example_log {
// uses a relative path name and the directory statement to
// expand to /var/log/named/example.log
file "log/named/example.log" versions 3 size 250k;
// only log info and up messages - all others discarded
severity info;
};
category default {
example_log;
};
};
// hints zone file is not required
// zone file for the localhost forward map
// discretionary zone depending on hosts file (see discussion)
zone "localhost" {
type primary;
file "masters/localhost-forward.db";
notify no;
};
// zone file for the loopback address
// necessary zone
zone "0.0.127.in-addr.arpa" {
type primary;
file "localhost.rev";
notify no;
};
// zone file for local IP reverse map
// discretionary file depending on requirements
zone "254.168.192.in-addr.arpa" {
type primary;
file "192.168.254.rev";
notify no;
};
The :ref:`zone<zone_clause>` and :ref:`acl<acl_grammar>` clauses, and the
:ref:`allow-query<allow-query>`, :ref:`empty-zones-enable<empty-zones-enable>`,
:ref:`file<file>`, :ref:`forward<forward>`, :ref:`forwarders<forwarders>`,
:ref:`notify<notify_st>`, :ref:`recursion<recursion>`, and :ref:`type<type>`
statements are described in detail in the appropriate sections.
As a reminder, the configuration of this forwarding resolver does **not**
forward any recursive query for which:
1. The answer is already in the cache.
2. The domain name is **localhost** (zone localhost).
3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa).
4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa).
5. Is a reverse-map query for any local IP (``empty-zones-enable`` statement).
All other recursive queries will be forwarded to resolve the query.
.. _selective_forward_sample:
Selective Forwarding Resolver Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This forwarding resolver configuration only forwards recursive queries for the
zone **example.com** to the resolvers at 192.168.250.3 and 192.168.230.27. All
other recursive queries, other than those for the defined zones and those for
which the answer is already in its cache, are handled by this resolver. The
forwarding resolver will cache all responses from both the public network and
from the forwarded resolvers. The configuration is closed, in that it defines
those IPs from which it will accept recursive queries.
.. code-block:: c
:linenos:
// selective forwarding named.conf file
// Two corporate subnets we wish to allow queries from
// defined in an acl clause
acl corpnets {
192.168.4.0/24;
192.168.7.0/24;
};
// options clause defining the server-wide properties
options {
// all relative paths use this directory as a base
directory "/var";
// version statement for security to avoid hacking known weaknesses
// if the real version number is revealed
version "not currently available";
// this is the default
recursion yes;
// recursive queries only allowed from these ips
// and references the acl clause
allow-query { corpnets; };
// this ensures that any reverse map for private IPs
// not defined in a zone file will *not* be passed to the public network
// it is the default value
empty-zones-enable yes;
// forwarding is not global but selective by zone in this configuration
};
// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
channel example_log {
// uses a relative path name and the directory statement to
// expand to /var/log/named/example.log
file "log/named/example.log" versions 3 size 250k;
// only log info and up messages - all others discarded
severity info;
};
category default {
example_log;
};
};
// zone file for the root servers
// discretionary zone (see root server discussion above)
zone "." {
type hint;
file "named.root";
};
// zone file for the localhost forward map
// discretionary zone depending on hosts file (see discussion)
zone "localhost" {
type primary;
file "masters/localhost-forward.db";
notify no;
};
// zone file for the loopback address
// necessary zone
zone "0.0.127.in-addr.arpa" {
type primary;
file "localhost.rev";
notify no;
};
// zone file for local IP reverse map
// discretionary file depending on requirements
zone "254.168.192.in-addr.arpa" {
type primary;
file "192.168.254.rev";
notify no;
};
// zone file forwarded example.com
zone "example.com" {
type forward;
// this defines the addresses of the resolvers to
// which queries for this zone will be forwarded
forwarders {
192.168.250.3;
192.168.230.27;
};
// indicates all queries for this zone will be forwarded
forward only;
};
The :ref:`zone<zone_clause>` and :ref:`acl<acl_grammar>` clauses, and the
:ref:`allow-query<allow-query>`, :ref:`empty-zones-enable<empty-zones-enable>`,
:ref:`file<file>`, :ref:`forward<forward>`, :ref:`forwarders<forwarders>`,
:ref:`notify<notify_st>`, :ref:`recursion<recursion>`, and :ref:`type<type>`
statements are described in detail in the appropriate sections.
As a reminder, the configuration of this resolver does **not** access the DNS
hierarchy (does not use the public network) for any recursive query for which:
1. The answer is already in the cache.
2. The domain name is **localhost** (zone localhost).
3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa).
4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa).
5. Is a reverse-map query for any local IP (empty-zones-enable statement).
6. Is a query for the domain name **example.com**, in which case it will be
forwarded to either 192.168.250.3 or 192.168.230.27 (zone example.com).
All other recursive queries will result in access to the DNS hierarchy to
resolve the query.
.. _load_balancing:
Load Balancing
--------------
A primitive form of load balancing can be achieved in the DNS by using multiple
resource records (RRs) in a :ref:`zone file<zone_file>` (such as multiple A
records) for one name.
For example, assuming three HTTP servers with network addresses of
10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following
means that clients will connect to each machine one-third of the time:
+-----------+------+----------+----------+----------------------------+
| Name | TTL | CLASS | TYPE | Resource Record (RR) Data |
+-----------+------+----------+----------+----------------------------+
| www | 600 | IN | A | 10.0.0.1 |
+-----------+------+----------+----------+----------------------------+
| | 600 | IN | A | 10.0.0.2 |
+-----------+------+----------+----------+----------------------------+
| | 600 | IN | A | 10.0.0.3 |
+-----------+------+----------+----------+----------------------------+
When a resolver queries for these records, BIND rotates them and
responds to the query with the records in a random order. In the
example above, clients randomly receive records in the order 1, 2,
3; 2, 3, 1; and 3, 1, 2. Most clients use the first record returned
and discard the rest.
For more detail on ordering responses, refer to the
:ref:`rrset-order<rrset_ordering>` statement in the
:ref:`options<options_grammar>` clause.

0
doc/arm/dlz.rst → doc/arm/dlz.inc.rst
View File

120
doc/arm/configuration.rst → doc/arm/dns-ops.inc.rst
View File

@@ -9,123 +9,6 @@
.. See the COPYRIGHT file distributed with this work for additional .. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership. .. information regarding copyright ownership.
.. Configuration:
Name Server Configuration
=========================
In this chapter we provide some suggested configurations, along with
guidelines for their use. We suggest reasonable values for certain
option settings.
.. _sample_configuration:
Sample Configurations
---------------------
.. _cache_only_sample:
A Caching-only Name Server
~~~~~~~~~~~~~~~~~~~~~~~~~~
The following sample configuration is appropriate for a caching-only
name server for use by clients internal to a corporation. All queries
from outside clients are refused using the ``allow-query`` option.
The same effect can be achieved using suitable firewall
rules.
::
// Two corporate subnets we wish to allow queries from.
acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
options {
allow-query { corpnets; };
};
// Provide a reverse mapping for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type primary;
file "localhost.rev";
notify no;
};
.. _auth_only_sample:
An Authoritative-only Name Server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This sample configuration is for an authoritative-only server that is
the primary server for ``example.com`` and a secondary server for the subdomain
``eng.example.com``.
::
options {
// Do not allow access to cache
allow-query-cache { none; };
// This is the default
allow-query { any; };
// Do not provide recursive service
recursion no;
};
// Provide a reverse mapping for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type primary;
file "localhost.rev";
notify no;
};
// We are the primary server for example.com
zone "example.com" {
type primary;
file "example.com.db";
// IP addresses of secondary servers allowed to
// transfer example.com
allow-transfer {
192.168.4.14;
192.168.5.53;
};
};
// We are a secondary server for eng.example.com
zone "eng.example.com" {
type secondary;
file "eng.example.com.bk";
// IP address of eng.example.com primary server
primaries { 192.168.4.12; };
};
.. _load_balancing:
Load Balancing
--------------
A primitive form of load balancing can be achieved in the DNS by using
multiple records (such as multiple A records) for one name.
For example, assuming three HTTP servers with network addresses of
10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following
means that clients will connect to each machine one-third of the time:
+-----------+------+----------+----------+----------------------------+
| Name | TTL | CLASS | TYPE | Resource Record (RR) Data |
+-----------+------+----------+----------+----------------------------+
| www | 600 | IN | A | 10.0.0.1 |
+-----------+------+----------+----------+----------------------------+
| | 600 | IN | A | 10.0.0.2 |
+-----------+------+----------+----------+----------------------------+
| | 600 | IN | A | 10.0.0.3 |
+-----------+------+----------+----------+----------------------------+
When a resolver queries for these records, BIND rotates them and
responds to the query with the records in a different order. In the
example above, clients randomly receive records in the order 1, 2,
3; 2, 3, 1; and 3, 1, 2. Most clients use the first record returned
and discard the rest.
For more detail on ordering responses, check the ``rrset-order``
sub-statement in the ``options`` statement; see :ref:`rrset_ordering`.
.. _ns_operations: .. _ns_operations:
Name Server Operations Name Server Operations
@@ -206,6 +89,8 @@ server.
For more information and a list of available commands and options, For more information and a list of available commands and options,
see :ref:`man_named-compilezone`. see :ref:`man_named-compilezone`.
.. _ops_rndc:
:iscman:`rndc` :iscman:`rndc`
The remote name daemon control (:iscman:`rndc`) program allows the system The remote name daemon control (:iscman:`rndc`) program allows the system
administrator to control the operation of a name server. administrator to control the operation of a name server.
@@ -312,4 +197,3 @@ described in the following table. These signals can be sent using the
| ``SIGINT`` | Causes the server to clean up and exit. | | ``SIGINT`` | Causes the server to clean up and exit. |
+--------------+-------------------------------------------------------------+ +--------------+-------------------------------------------------------------+
.. include:: plugins.rst

BIN
doc/arm/dns-security-overview.dia Normal file
View File

Binary file not shown.

BIN
doc/arm/dns-security-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
doc/arm/dns-servers.dia Normal file
View File

Binary file not shown.

BIN
doc/arm/dns-servers.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
doc/arm/dns-tree.dia Normal file
View File

Binary file not shown.

BIN
doc/arm/dns-tree.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

2
doc/arm/dnssec-guide.rst
View File

@@ -9,6 +9,8 @@
.. See the COPYRIGHT file distributed with this work for additional .. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership. .. information regarding copyright ownership.
.. _dnssec_guide:
DNSSEC Guide DNSSEC Guide
============ ============

242
doc/arm/dnssec.rst → doc/arm/dnssec.inc.rst
View File

@@ -9,13 +9,225 @@
.. See the COPYRIGHT file distributed with this work for additional .. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership. .. information regarding copyright ownership.
.. _dnssec.dynamic.zones: .. _dnssec:
DNSSEC
------
Cryptographic authentication of DNS information is possible through the
DNS Security ("DNSSEC-bis") extensions, defined in :rfc:`4033`, :rfc:`4034`,
and :rfc:`4035`. This section describes the creation and use of DNSSEC
signed zones.
In order to set up a DNSSEC secure zone, there are a series of steps
which must be followed. BIND 9 ships with several tools that are used in
this process, which are explained in more detail below. In all cases,
the ``-h`` option prints a full list of parameters. Note that the DNSSEC
tools require the keyset files to be in the working directory or the
directory specified by the ``-d`` option.
There must also be communication with the administrators of the parent
and/or child zone to transmit keys. A zone's security status must be
indicated by the parent zone for a DNSSEC-capable resolver to trust its
data. This is done through the presence or absence of a ``DS`` record at
the delegation point.
For other servers to trust data in this zone, they must be
statically configured with either this zone's zone key or the zone key of
another zone above this one in the DNS tree.
.. _generating_dnssec_keys:
DNSSEC Keys
~~~~~~~~~~~
Generating Keys
^^^^^^^^^^^^^^^
The :iscman:`dnssec-keygen` program is used to generate keys.
A secure zone must contain one or more zone keys. The zone keys
sign all other records in the zone, as well as the zone keys of any
secure delegated zones. Zone keys must have the same name as the zone, have a
name type of ``ZONE``, and be usable for authentication. It is
recommended that zone keys use a cryptographic algorithm designated as
"mandatory to implement" by the IETF. Currently there are two algorithms,
RSASHA256 and ECDSAP256SHA256; ECDSAP256SHA256 is recommended for
current and future deployments.
The following command generates an ECDSAP256SHA256 key for the
``child.example`` zone:
``dnssec-keygen -a ECDSAP256SHA256 -n ZONE child.example.``
Two output files are produced: ``Kchild.example.+013+12345.key`` and
``Kchild.example.+013+12345.private`` (where 12345 is an example of a
key tag). The key filenames contain the key name (``child.example.``),
the algorithm (5 is RSASHA1, 8 is RSASHA256, 13 is ECDSAP256SHA256, 15 is
ED25519, etc.), and the key tag (12345 in this case). The private key (in
the ``.private`` file) is used to generate signatures, and the public
key (in the ``.key`` file) is used for signature verification.
To generate another key with the same properties but with a different
key tag, repeat the above command.
The :iscman:`dnssec-keyfromlabel` program is used to get a key pair from a
crypto hardware device and build the key files. Its usage is similar to
:iscman:`dnssec-keygen`.
The public keys should be inserted into the zone file by including the
``.key`` files using ``$INCLUDE`` statements.
.. _dnssec_zone_signing:
Signing the Zone
^^^^^^^^^^^^^^^^
The :iscman:`dnssec-signzone` program is used to sign a zone.
Any ``keyset`` files corresponding to secure sub-zones should be
present. The zone signer generates ``NSEC``, ``NSEC3``, and ``RRSIG``
records for the zone, as well as ``DS`` for the child zones if :option:`-g <dnssec-signzone -g>`
is specified. If :option:`-g <dnssec-signzone -g>` is not specified, then DS RRsets for the
secure child zones need to be added manually.
By default, all zone keys which have an available private key are used
to generate signatures. The following command signs the zone, assuming
it is in a file called ``zone.child.example``:
``dnssec-signzone -o child.example zone.child.example``
One output file is produced: ``zone.child.example.signed``. This file
should be referenced by :iscman:`named.conf` as the input file for the zone.
:iscman:`dnssec-signzone` also produces keyset and dsset files. These are used
to provide the parent zone administrators with the ``DNSKEYs`` (or their
corresponding ``DS`` records) that are the secure entry point to the zone.
.. _dnssec_config:
Configuring Servers for DNSSEC
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To enable :iscman:`named` to validate answers received from other servers, the
``dnssec-validation`` option must be set to either ``yes`` or ``auto``.
When ``dnssec-validation`` is set to ``auto``, a trust anchor for the
DNS root zone is automatically used. This trust anchor is provided
as part of BIND and is kept up to date using :rfc:`5011` key management.
When ``dnssec-validation`` is set to ``yes``, DNSSEC validation
only occurs if at least one trust anchor has been explicitly configured
in :iscman:`named.conf`, using a ``trust-anchors`` statement (or the
``managed-keys`` and ``trusted-keys`` statements, both deprecated).
When ``dnssec-validation`` is set to ``no``, DNSSEC validation does not
occur.
The default is ``auto`` unless BIND is built with
``configure --disable-auto-validation``, in which case the default is
``yes``.
The keys specified in ``trust-anchors`` are copies of DNSKEY RRs for zones that are
used to form the first link in the cryptographic chain of trust. Keys configured
with the keyword ``static-key`` or ``static-ds`` are loaded directly into the
table of trust anchors, and can only be changed by altering the
configuration. Keys configured with ``initial-key`` or ``initial-ds`` are used
to initialize :rfc:`5011` trust anchor maintenance, and are kept up-to-date
automatically after the first time :iscman:`named` runs.
``trust-anchors`` is described in more detail later in this document.
BIND 9 does not verify signatures on load, so zone keys
for authoritative zones do not need to be specified in the configuration
file.
After DNSSEC is established, a typical DNSSEC configuration looks
something like the following. It has one or more public keys for the
root, which allows answers from outside the organization to be validated.
It also has several keys for parts of the namespace that the
organization controls. These are here to ensure that :iscman:`named` is immune
to compromised security in the DNSSEC components of parent zones.
::
trust-anchors {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
dgxbcDTClU0CRBdiieyLMNzXG3";
/* Key for our organization's forward zone */
example.com. static-ds 54135 5 2 "8EF922C97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D"
/* Key for our reverse zone. */
2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
xOdNax071L18QqZnQQQAVVr+i
LhGTnNGp3HoWQLUIzKrJVZ3zg
gy3WwNT6kZo6c0tszYqbtvchm
gQC8CzKojM/W16i6MG/eafGU3
siaOdS0yOI6BgPsw+YZdzlYMa
IJGf4M4dyoKIhzdZyQ2bYQrjy
Q4LB0lC7aOnsMyYKHHYeRvPxj
IQXmdqgOJGq+vsevG06zW+1xg
YJh9rCIfnm1GX/KMgxLPG2vXT
D/RnLX+D3T3UL7HJYHJhAZD5L
59VvjSPsZJHeDCUyWYrvPZesZ
DIRvhDD52SKvbheeTJUm6Ehkz
ytNN2SN96QRk8j/iI8ib";
};
options {
...
dnssec-validation yes;
};
..
.. note::
None of the keys listed in this example are valid. In particular, the
root key is not valid.
When DNSSEC validation is enabled and properly configured, the resolver
rejects any answers from signed, secure zones which fail to
validate, and returns SERVFAIL to the client.
Responses may fail to validate for any of several reasons, including
missing, expired, or invalid signatures, a key which does not match the
DS RRset in the parent zone, or an insecure response from a zone which,
according to its parent, should have been secure.
.. note::
When the validator receives a response from an unsigned zone that has
a signed parent, it must confirm with the parent that the zone was
intentionally left unsigned. It does this by verifying, via signed
and validated NSEC/NSEC3 records, that the parent zone contains no DS
records for the child.
If the validator *can* prove that the zone is insecure, then the
response is accepted. However, if it cannot, the validator must assume an
insecure response to be a forgery; it rejects the response and logs
an error.
The logged error reads "insecurity proof failed" and "got insecure
response; parent indicates it should be secure."
.. _dnssec_dynamic_zones:
DNSSEC, Dynamic Zones, and Automatic Signing DNSSEC, Dynamic Zones, and Automatic Signing
-------------------------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Converting From Insecure to Secure Converting From Insecure to Secure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
A zone can be changed from insecure to secure in three ways: using a A zone can be changed from insecure to secure in three ways: using a
dynamic DNS update, via the ``auto-dnssec`` zone option, or by setting a dynamic DNS update, via the ``auto-dnssec`` zone option, or by setting a
@@ -55,7 +267,7 @@ For example:
}; };
Dynamic DNS Update Method Dynamic DNS Update Method
~~~~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^
To insert the keys via dynamic update: To insert the keys via dynamic update:
@@ -96,7 +308,7 @@ While the initial signing and NSEC/NSEC3 chain generation is happening,
other updates are possible as well. other updates are possible as well.
Fully Automatic Zone Signing Fully Automatic Zone Signing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To enable automatic signing, set a ``dnssec-policy`` or add the To enable automatic signing, set a ``dnssec-policy`` or add the
``auto-dnssec`` option to the zone statement in :iscman:`named.conf`. ``auto-dnssec`` option to the zone statement in :iscman:`named.conf`.
@@ -149,7 +361,7 @@ allow dynamic updates, by adding an ``allow-update`` or
been done, the configuration fails. been done, the configuration fails.
Private Type Records Private Type Records
~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^
The state of the signing process is signaled by private type records The state of the signing process is signaled by private type records
(with a default type value of 65534). When signing is complete, those (with a default type value of 65534). When signing is complete, those
@@ -186,14 +398,14 @@ perform based on the flag bits:
0x20 NONSEC 0x20 NONSEC
DNSKEY Rollovers DNSKEY Rollovers
~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^
As with insecure-to-secure conversions, DNSSEC keyrolls can be done As with insecure-to-secure conversions, DNSSEC keyrolls can be done
in two ways: using a dynamic DNS update, or via the ``auto-dnssec`` zone in two ways: using a dynamic DNS update, or via the ``auto-dnssec`` zone
option. option.
Dynamic DNS Update Method Dynamic DNS Update Method
~~~~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^
To perform key rollovers via a dynamic update, the ``K*`` To perform key rollovers via a dynamic update, the ``K*``
files for the new keys must be added so that :iscman:`named` can find them. files for the new keys must be added so that :iscman:`named` can find them.
@@ -215,7 +427,7 @@ correct key. :iscman:`named` cleans out any signatures generated by the
old key after the update completes. old key after the update completes.
Automatic Key Rollovers Automatic Key Rollovers
~~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^
When a new key reaches its activation date (as set by :iscman:`dnssec-keygen` When a new key reaches its activation date (as set by :iscman:`dnssec-keygen`
or :iscman:`dnssec-settime`), and if the ``auto-dnssec`` zone option is set to or :iscman:`dnssec-settime`), and if the ``auto-dnssec`` zone option is set to
@@ -229,7 +441,7 @@ validity periods expire. By default, this rollover completes in 30 days,
after which it is safe to remove the old key from the DNSKEY RRset. after which it is safe to remove the old key from the DNSKEY RRset.
NSEC3PARAM Rollovers via UPDATE NSEC3PARAM Rollovers via UPDATE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The new NSEC3PARAM record can be added via dynamic update. When the new NSEC3 The new NSEC3PARAM record can be added via dynamic update. When the new NSEC3
chain has been generated, the NSEC3PARAM flag field is set to zero. At chain has been generated, the NSEC3PARAM flag field is set to zero. At
@@ -237,7 +449,7 @@ that point, the old NSEC3PARAM record can be removed. The old chain is
removed after the update request completes. removed after the update request completes.
Converting From NSEC to NSEC3 Converting From NSEC to NSEC3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Add a ``nsec3param`` option to your ``dnssec-policy`` and Add a ``nsec3param`` option to your ``dnssec-policy`` and
run :option:`rndc reconfig`. run :option:`rndc reconfig`.
@@ -248,7 +460,7 @@ In both cases, the NSEC3 chain is generated and the NSEC3PARAM record is
added before the NSEC chain is destroyed. added before the NSEC chain is destroyed.
Converting From NSEC3 to NSEC Converting From NSEC3 to NSEC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To do this, remove the ``nsec3param`` option from the ``dnssec-policy`` and To do this, remove the ``nsec3param`` option from the ``dnssec-policy`` and
run :option:`rndc reconfig`. run :option:`rndc reconfig`.
@@ -258,7 +470,7 @@ zero flag field. The NSEC chain is generated before the NSEC3 chain
is removed. is removed.
Converting From Secure to Insecure Converting From Secure to Insecure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To convert a signed zone to unsigned using dynamic DNS, delete all the To convert a signed zone to unsigned using dynamic DNS, delete all the
DNSKEY records from the zone apex using :iscman:`nsupdate`. All signatures, DNSKEY records from the zone apex using :iscman:`nsupdate`. All signatures,
@@ -272,7 +484,7 @@ In addition, if the ``auto-dnssec maintain`` zone statement is used, it
should be removed or changed to ``allow`` instead; otherwise it will re-sign. should be removed or changed to ``allow`` instead; otherwise it will re-sign.
Periodic Re-signing Periodic Re-signing
~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^
In any secure zone which supports dynamic updates, :iscman:`named` In any secure zone which supports dynamic updates, :iscman:`named`
periodically re-signs RRsets which have not been re-signed as a result of periodically re-signs RRsets which have not been re-signed as a result of
@@ -280,7 +492,7 @@ some update action. The signature lifetimes are adjusted to
spread the re-sign load over time rather than all at once. spread the re-sign load over time rather than all at once.
NSEC3 and OPTOUT NSEC3 and OPTOUT
~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^
:iscman:`named` only supports creating new NSEC3 chains where all the NSEC3 :iscman:`named` only supports creating new NSEC3 chains where all the NSEC3
records in the zone have the same OPTOUT state. :iscman:`named` supports records in the zone have the same OPTOUT state. :iscman:`named` supports

0
doc/arm/dyndb.rst → doc/arm/dyndb.inc.rst
View File

17
doc/arm/index.rst
View File

@@ -17,14 +17,17 @@ BIND 9 Administrator Reference Manual
:numbered: :numbered:
:maxdepth: 2 :maxdepth: 2
introduction chapter1
requirements chapter2
configuration chapter3
chapter4
chapter5
chapter6
chapter7
reference reference
advanced chapter9
security chapter10
troubleshooting
.. toctree:: .. toctree::
:caption: Appendices :caption: Appendices
:name: appendices :name: appendices

197
doc/arm/intro-dns-bind.inc.rst Normal file
View File

@@ -0,0 +1,197 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _dns_overview:
The Domain Name System (DNS)
----------------------------
This is a brief description of the functionality and organization of the Domain Name System (DNS).
It is provided to familiarize users with the concepts involved, the (often confusing) terminology
used, and how all the parts fit together to form an operational system.
All network systems operate with network addresses, such as IPv4 and IPv6. The vast majority of
humans find it easier to work with names rather than seemingly endless strings of network address digits. The earliest ARPANET systems
(from which the Internet evolved) mapped names to addresses using a **hosts** file that was distributed to all entities
whenever changes occurred. Operationally, such a system became rapidly unsustainable once there were more
than 100 networked entities, which led to the specification and implementation of the Domain Name System that we use today.
.. _dns_fundamentals:
DNS Fundamentals
~~~~~~~~~~~~~~~~
The DNS naming system is organized as a tree structure comprised of multiple levels and
thus it naturally creates a distributed system. Each node
in the tree is given a label which defines its **Domain** (its area or zone) of **Authority**.
The topmost node in the tree is the **Root Domain**; it delegates to **Domains** at the next level which are generically
known as the **Top-Level Domains (TLDs)**. They in turn delegate to **Second-Level Domains (SLDs)**, and so on.
The Top-Level Domains (TLDs) include a special group of TLDs called the **Country Code Top-Level Domains (ccTLDs)**,
in which every country is assigned a unique two-character country code from ISO 3166 as its domain.
.. Note:: The Domain Name System is controlled by ICANN (https://www.icann.org) (a 501c non-profit entity); their current policy
is that any new TLD, consisting of three or more characters, may be proposed by any group of commercial sponsors and
if it meets ICANN's criteria will be added to the TLDs.
The concept of delegation and authority flows down the DNS tree (the DNS hierarchy) as shown:
.. figure:: dns-tree.png
:align: center
Delegation and Authority in the DNS Name Space
A domain is the label of a node in the tree. A **domain name** uniquely identifies any node in the DNS tree and is written, left to right,
by combining all the domain labels (each of which are unique within their parent's zone or domain of authority), with a dot
separating each component, up to the root domain. In the above diagram the following are all domain names:
.. code-block::
example.com
b.com
ac.uk
us
org
The root has a unique label of "." (dot), which is normally omitted when it is written as
a domain name, but when it is written as a **Fully Qualified Domain Name (FQDN)** the dot must be present. Thus:
.. code-block::
example.com # domain name
example.com. # FQDN
Authority and Delegation
~~~~~~~~~~~~~~~~~~~~~~~~
Each domain (node) has been **delegated** the authority from its parent domain. The delegated authority includes
specific responsibilities to ensure that every domain it delegates has a unique name or label within its zone or domain of authority, and
that it maintains an **authoritative** list of its delegated domains. The responsibilities further include an operational requirement to
operate two (or more) name servers (which may be contracted to a third party) which will contain the authoritative data
for all the domain labels within its zone of authority in a :ref:`zone file<zone_file>`. Again, the
tree structure ensures that the DNS name space is naturally distributed.
The following diagram illustrates that **Authoritative Name Servers** exist for every level and every domain in the DNS name space:
.. figure:: dns-servers.png
:align: center
Authoritative Name Servers in the DNS Name Space
.. Note:: The difference between a domain and a zone can appear confusing. Practically, the terms are generally used synonymously in the DNS.
If, however, you are into directed graphs and tree structure theory or similar exotica, a zone can be considered as
an arc through any node (or domain) with the domain at its apex. The zone therefore encompasses all the name space below the domain.
This can, however, lead to the concept of subzones and these were indeed defined in the original DNS specifications.
Thankfully the term subzone has been lost in the mists of time.
.. _root_servers:
Root Servers
~~~~~~~~~~~~
The **root servers** are a critical part of the DNS authoritative infrastructure. There are 13 root servers (*a.root-servers.net*
to *m.root-servers.net*). The number 13 is historically based on the maximum amount of name and IPv4 data
that could be packed into a 512-byte UDP message, and not a perverse affinity for a number that certain
cultures treat as unlucky. The 512-byte UDP data limit
is no longer a limiting factor and all root servers now support both IPv4 and IPv6. In addition, almost all the
root servers use **anycast**, with well over
300 instances of the root servers now providing service worldwide (see further information at https://www.root-servers.org).
The root servers are the starting point for all **name resolution** within the DNS.
Name Resolution
~~~~~~~~~~~~~~~
So far all the emphasis has been on how the DNS stores its authoritative domain (zone) data. End-user systems
use names (an email address or a web address) and need to access this authoritative data to obtain an IP address, which
they use to contact the required network resources such as web, FTP, or mail servers. The process of converting a
domain name to a result (typically an IP address, though other types of data may be obtained) is generically called **name resolution**, and is handled by
**resolvers** (also known as **caching name servers** and many other terms). The following diagram shows the typical name resolution process:
.. figure:: name-resolution.png
:align: center
Authoritative Name Servers and Name Resolution
An end-user application, such as a browser (1), when needing to resolve a name such as **www.example.com**, makes an
internal system call to a minimal function resolution entity called a **stub resolver** (2). The stub resolver (using stored
IP addresses) contacts a resolver (a caching name server or full-service resolver) (3), which in turn contacts all the necessary
authoritative name servers (4, 5, and 6) to provide the answer that it then returns to the user (2, 1). To improve performance,
all resolvers (including most stub resolvers) cache (store) their results such that a subsequent request for the same data
is taken from the resolver's cache, removing the need to repeat the name resolution process and use time-consuming resources. All communication between
the stub resolver, the resolver, and the authoritative name servers uses the DNS protocol's query and response message pair.
.. _referral:
.. _recursive_query:
.. _iterative_query:
DNS Protocol and Queries
~~~~~~~~~~~~~~~~~~~~~~~~
DNS **queries** use the UDP protocol over the reserved port 53 (but both TCP and TLS can optionally be used in some parts of the network).
The following diagram shows the name resolution process expressed in terms of DNS queries and responses.
.. figure:: recursive-query.png
:align: center
Resolvers and Queries
The stub resolver sends a **recursive query** message (with the required domain name in the QUESTION section of the query) (2) to the resolver.
A **recursive** query simply requests the resolver to find the complete answer. A stub resolver only ever sends recursive queries
and always needs the service of a resolver. The response to a recursive query can be:
1. The answer to the user's QUESTION in the ANSWER section of the query response.
2. An error (such as NXDOMAIN - the name does not exist).
The resolver, on receipt of the user's recursive query, either responds immediately, if the ANSWER is in its cache, or accesses
the DNS hierarchy to obtain the answer. The resolver always starts with root servers and sends an **iterative query** (4, 5, and 6). The
response to an iterative query can be:
1. The answer to the resolver's QUESTION in the ANSWER section of the query response.
2. A **referral** (indicated by an empty ANSWER section but data in the AUTHORITY section,
and typically IP addresses in the ADDITIONAL section of the response).
3. An error (such as NXDOMAIN - the name does not exist).
If the response is either an answer or an error, these are returned immediately to the user (and cached for future use). If the response
is a referral, the resolver needs to take additional action to respond to the user's recursive query.
A referral, in essence, indicates that the queried server does not know the answer (the ANSWER section of the response is empty), but it
refers the resolver to the authoritative name servers (in the AUTHORITY section of the response) which it knows about in the
domain name supplied in the QUESTION section of the query. Thus, if the QUESTION is for the domain name **www.example.com**, the root
server to which the iterative query was sent adds a list of the **.com authoritative name servers** in the AUTHORITY section.
The resolver selects one of the servers from the AUTHORITY section and sends an
iterative query to it. Similarly, the .com authoritative name servers send a referral containing a list of the **example.com** authoritative name servers.
This process continues down the DNS hierarchy until either an ANSWER or an error is received, at which point the user's original recursive query
is sent a response.
.. Note:: The DNS hierarchy is always accessed starting at the root servers and working down; there is no concept of "up" in the DNS hierarchy. Clearly,
if the resolver has already cached the list of .com authoritative name servers and the user's recursive query QUESTION contains a domain name
ending in .com, it can omit access to the root servers. However, that is simply an artifact (in this case a performance benefit) of
caching and does not change the concept of top-down access within the DNS hierarchy.
The insatiably curious may find reading :rfc:`1034` and :rfc:`1035` a useful starting point for further information.
DNS and BIND 9
~~~~~~~~~~~~~~
BIND 9 is a complete implementation of the DNS protocol. BIND 9 can be configured (using its ``named.conf`` file) as
an authoritative name server, a resolver, and, on supported hosts, a stub resolver. While large operators
usually dedicate DNS servers to a single function per system, smaller operators will find that
BIND 9's flexible configuration features support multiple functions, such as a single DNS server acting
as both an authoritative name server and a resolver.
Example configurations of basic :ref:`authoritative name servers<config_auth_samples>` and
:ref:`resolvers and forwarding resolvers<config_resolver_samples>`, as
well as :ref:`advanced configurations<Advanced>` and :ref:`secure configurations<Security>`, are provided.

76
doc/arm/intro-security.inc.rst Normal file
View File

@@ -0,0 +1,76 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _intro_dns_security:
DNS Security Overview
---------------------
DNS is a communications protocol. All communications protocols are potentially
vulnerable to both subversion and eavesdropping. It is important for
users to audit their exposure to the various threats within their operational environment and implement the
appropriate solutions. BIND 9, a specific implementation of the DNS protocol,
provides an extensive set of security features. The purpose of this section
is to help users to select from the range of available security features those
required for their specific user environment.
A generic DNS network is shown below, followed by text descriptions. In general,
the further one goes from the left-hand side of the diagram, the more complex
the implementation.
.. Note:: Historically, DNS data was regarded as public and security was
concerned, primarily, with ensuring the integrity of DNS data. DNS data privacy
is increasingly regarded as an important dimension of overall security, specifically :ref:`DNS over TLS<dns_over_tls>`.
.. figure:: dns-security-overview.png
:align: center
BIND 9 Security Overview
The following notes refer to the numbered elements in the above diagram.
1. A variety of system administration techniques and methods may be used to secure
BIND 9's local environment, including :ref:`file permissions <file_permissions>`, running
BIND 9 in a :ref:`jail <chroot_and_setuid>`, and the use of :ref:`Access_Control_Lists`.
2. The remote name daemon control (:ref:`rndc<ops_rndc>`) program allows the system
administrator to control the operation of a name server. The majority of BIND 9 packages
or ports come preconfigured with local (loopback address) security preconfigured.
If ``rndc`` is being invoked from a remote host, further configuration is required.
The ``nsupdate`` tool uses **Dynamic DNS (DDNS)** features and allows users to dynamically
change the contents of the zone file(s). ``nsupdate`` access and security may be controlled
using ``named.conf`` :ref:`statements or using TSIG or SIG(0) cryptographic methods <dynamic_update_security>`.
Clearly, if the remote hosts used for either ``rndc`` or DDNS lie within a network entirely
under the user's control, the security threat may be regarded as non-existent. Any implementation requirements,
therefore, depend on the site's security policy.
3. Zone transfer from a **primary** to one or more **secondary** authoritative name servers across a
public network carries risk. The zone transfer may be secured using
``named.conf`` :ref:`statements, TSIG cryptographic methods or TLS<sec_file_transfer>`.
Clearly, if the secondary authoritative name server(s) all lie within a network entirely
under the user's control, the security threat may be regarded as non-existent. Any implementation requirements
again depend on the site's security policy.
4. If the operator of an authoritative name server (primary or secondary) wishes to ensure that
DNS responses to user-initiated queries about the zone(s) for which they are responsible can only
have come from their server, that the data received by the user is the same as that sent, and that
non-existent names are genuine, then :ref:`DNSSEC` is the only solution. DNSSEC requires configuration
and operational changes both to the authoritative name servers and to any resolver which accesses
those servers.
5. The typical Internet-connected end-user device (PCs, laptops, and even mobile phones) either has
a stub resolver or operates via a DNS proxy. A stub resolver requires the services of an area
or full-service resolver to completely answer user queries. Stub resolvers on the majority of PCs and laptops
typically have a caching capability to increase performance. At this time there are no standard stub resolvers or proxy
DNS tools that implement DNSSEC. BIND 9 may be configured to provide such capability on supported Linux or Unix platforms.
:ref:`DNS over TLS <dns_over_tls>` may be configured to verify the integrity of the data between the stub resolver and
area (or full-service) resolver. However, unless the resolver and the Authoritative Name Server implements DNSSEC, end-to-end integrity (from
authoritative name server to stub resolver) cannot be guaranteed.

100
doc/arm/introduction.inc.rst Normal file
View File

@@ -0,0 +1,100 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _introduction:
Introduction to DNS and BIND 9
==============================
The Internet Domain Name System (DNS) consists of:
- the syntax to specify the names of entities in the Internet in a hierarchical manner,
- the rules used for delegating authority over names, and
- the system implementation that actually maps names to Internet addresses.
DNS data is maintained in a group of distributed hierarchical databases.
.. _doc_scope:
Scope of Document
-----------------
The Berkeley Internet Name Domain (BIND) software implements a domain name server
for a number of operating systems. This document provides basic
information about the installation and maintenance of Internet Systems
Consortium (ISC) BIND version 9 software package for system
administrators.
This manual covers BIND version |release|.
.. _organization:
Organization of This Document
-----------------------------
:ref:`introduction` introduces the basic DNS and BIND concepts. Some tutorial material on
:ref:`dns_overview` is presented for those unfamiliar with DNS. A
:ref:`intro_dns_security` is provided to allow BIND operators to implement
appropriate security for their operational environment.
:ref:`requirements` describes the hardware and environment requirements for BIND 9
and lists both the supported and unsupported platforms.
:ref:`configuration` is intended as a quickstart guide for newer users. Sample files
are included for :ref:`config_auth_samples` (both :ref:`primary<sample_primary>` and
:ref:`secondary<sample_secondary>`), as well as a simple :ref:`config_resolver_samples` and
a :ref:`sample_forwarding`. Some reference material on the :ref:`Zone File<zone_file>` is included.
:ref:`ns_operations` covers basic BIND 9 software and DNS operations, including some
useful tools, Unix signals, and plugins.
:ref:`advanced` builds on the configurations of :ref:`configuration`, adding
functions and features the system administrator may need.
:ref:`security` covers most aspects of BIND 9 security, including file permissions,
running BIND 9 in a "jail," and securing file transfers and dynamic updates.
:ref:`dnssec` describes the theory and practice of cryptographic authentication of DNS
information. The :ref:`dnssec_guide` is a practical guide to implementing DNSSEC.
:ref:`Reference` gives exhaustive descriptions of all supported clauses, statements,
and grammars used in BIND 9's ``named.conf`` configuration file.
:ref:`troubleshooting` provides information on identifying and solving BIND 9 and DNS
problems. Information about bug-reporting procedures is also provided.
:ref:`build_bind` is a definitive guide for those occasions where the user requires
special options not provided in the standard Linux or Unix distributions.
The **Appendices** contain useful reference information, such as a bibliography and historic
information related to BIND and the Domain Name System, as well as the current *man*
pages for all the published tools.
.. _conventions:
Conventions Used in This Document
---------------------------------
In this document, we generally use ``fixed-width`` text to indicate the
following types of information:
- pathnames
- filenames
- URLs
- hostnames
- mailing list names
- new terms or concepts
- literal user input
- program output
- keywords
- variables
Text in "quotes," **bold text**, or *italics* is also used for emphasis or clarity.

311
doc/arm/introduction.rst
View File

@@ -1,311 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _Introduction:
Introduction
============
The Internet Domain Name System (DNS) consists of the syntax to specify
the names of entities in the Internet in a hierarchical manner, the
rules used for delegating authority over names, and the system
implementation that actually maps names to Internet addresses. DNS data
is maintained in a group of distributed hierarchical databases.
.. _doc_scope:
Scope of Document
-----------------
The Berkeley Internet Name Domain (BIND) implements a domain name server
for a number of operating systems. This document provides basic
information about the installation and care of the Internet Systems
Consortium (ISC) BIND version 9 software package for system
administrators.
This manual covers BIND version |release|.
.. _organization:
Organization of This Document
-----------------------------
In this document, *Chapter 1* introduces the basic DNS and BIND
concepts. *Chapter 2* describes resource requirements for running BIND
in various environments. Information in *Chapter 3* is *task-oriented*
in its presentation and is organized functionally, to aid in the process
of installing the BIND 9 software. The task-oriented section is followed
by *Chapter 4*, which is organized as a reference manual to aid in the ongoing
maintenance of the software. *Chapter 5* contains more advanced concepts that
the system administrator may need for implementing certain options. *Chapter 6*
addresses security considerations, and *Chapter 7* contains troubleshooting help.
The main body of the document is followed by several *appendices* which contain
useful reference information, such as a *bibliography* and historic
information related to BIND and the Domain Name System.
.. _conventions:
Conventions Used in This Document
---------------------------------
In this document, we generally use ``Fixed Width`` text to indicate the
following types of information:
- pathnames
- filenames
- URLs
- hostnames
- mailing list names
- new terms or concepts
- literal user input
- program output
- keywords
- variables
Text in "quotes," **bold**, or *italics* is also used for emphasis or clarity.
.. _dns_overview:
The Domain Name System (DNS)
----------------------------
This document explains the installation and upkeep
of the BIND (Berkeley Internet Name Domain) software package. We
begin by reviewing the fundamentals of the Domain Name System (DNS) as
they relate to BIND.
.. _dns_fundamentals:
DNS Fundamentals
~~~~~~~~~~~~~~~~
The Domain Name System (DNS) is a hierarchical, distributed database. It
stores information for mapping Internet host names to IP addresses and
vice versa, mail routing information, and other data used by Internet
applications.
Clients look up information in the DNS by calling a *resolver* library,
which sends queries to one or more *name servers* and interprets the
responses. The BIND 9 software distribution contains a name server,
:iscman:`named`, and a set of associated tools.
.. _domain_names:
Domains and Domain Names
~~~~~~~~~~~~~~~~~~~~~~~~
The data stored in the DNS is identified by *domain names* that are
organized as a tree according to organizational or administrative
boundaries. Each node of the tree, called a *domain*, is given a label.
The domain name of the node is the concatenation of all the labels on
the path from the node to the *root* node. This is represented in
written form as a string of labels listed from right to left and
separated by dots. A label need only be unique within its parent domain.
For example, a domain name for a host at the company *Example, Inc.*
could be ``ourhost.example.com``, where ``com`` is the top-level domain
to which ``ourhost.example.com`` belongs, ``example`` is a subdomain of
``com``, and ``ourhost`` is the name of the host.
For administrative purposes, the name space is partitioned into areas
called *zones*, each starting at a node and extending down to the "leaf"
nodes or to nodes where other zones start. The data for each zone is
stored in a *name server*, which answers queries about the zone using
the *DNS protocol*.
The data associated with each domain name is stored in the form of
*resource records* (RRs). Some of the supported resource record types
are described in :ref:`types_of_resource_records_and_when_to_use_them`.
For more detailed information about the design of the DNS and the DNS
protocol, please refer to the standards documents listed in :ref:`rfcs`.
Zones
~~~~~
To properly operate a name server, it is important to understand the
difference between a *zone* and a *domain*.
As stated previously, a zone is a point of delegation in the DNS tree. A
zone consists of those contiguous parts of the domain tree for which a
name server has complete information and over which it has authority. It
contains all domain names from a certain point downward in the domain
tree except those which are delegated to other zones. A delegation point
is marked by one or more *NS records* in the parent zone, which should
be matched by equivalent NS records at the root of the delegated zone.
For instance, consider the ``example.com`` domain, which includes names
such as ``host.aaa.example.com`` and ``host.bbb.example.com``, even
though the ``example.com`` zone includes only delegations for the
``aaa.example.com`` and ``bbb.example.com`` zones. A zone can map
exactly to a single domain, but could also include only part of a
domain, the rest of which could be delegated to other name servers.
Every name in the DNS tree is a *domain*, even if it is *terminal*, that
is, has no *subdomains*. Every subdomain is a domain and every domain
except the root is also a subdomain. The terminology is not intuitive
and we suggest reading :rfc:`1033`, :rfc:`1034`, and :rfc:`1035` to gain a complete
understanding of this difficult and subtle topic.
Though BIND 9 is called a "domain name server," it deals primarily in
terms of zones. The ``primary`` and ``secondary`` declarations in the :iscman:`named.conf`
file specify zones, not domains. When BIND asks some other site if it is
willing to be a secondary server for a *domain*, it is actually asking
for secondary service for some collection of *zones*.
.. _auth_servers:
Authoritative Name Servers
~~~~~~~~~~~~~~~~~~~~~~~~~~
Each zone is served by at least one *authoritative name server*, which
contains the complete data for the zone. To make the DNS tolerant of
server and network failures, most zones have two or more authoritative
servers, on different networks.
Responses from authoritative servers have the "authoritative answer"
(AA) bit set in the response packets. This makes them easy to identify
when debugging DNS configurations using tools like :iscman:`dig` (:ref:`diagnostic_tools`).
.. _primary_master:
The Primary Server
^^^^^^^^^^^^^^^^^^
The authoritative server, where the main copy of the zone data is
maintained, is called the *primary* (formerly *master*) server, or simply the
*primary*. Typically it loads the zone contents from some local file
edited by humans or perhaps generated mechanically from some other local
file which is edited by humans. This file is called the *zone file* or
*master file*.
In some cases, however, the master file may not be edited by humans at
all, but may instead be the result of *dynamic update* operations.
.. _secondary_server:
Secondary Servers
^^^^^^^^^^^^^^^^^
The other authoritative servers, the *secondary* servers (formerly known as
*slave* servers) load the zone contents from another server using a
replication process known as a *zone transfer*. Typically the data is
transferred directly from the primary, but it is also possible to
transfer it from another secondary. In other words, a secondary server may
itself act as a primary to a subordinate secondary server.
Periodically, the secondary server must send a refresh query to determine
whether the zone contents have been updated. This is done by sending a
query for the zone's Start of Authority (SOA) record and checking whether the SERIAL field
has been updated; if so, a new transfer request is initiated. The timing
of these refresh queries is controlled by the SOA REFRESH and RETRY
fields, but can be overridden with the ``max-refresh-time``,
``min-refresh-time``, ``max-retry-time``, and ``min-retry-time``
options.
If the zone data cannot be updated within the time specified by the SOA
EXPIRE option (up to a hard-coded maximum of 24 weeks), the secondary
zone expires and no longer responds to queries.
.. _stealth_server:
Stealth Servers
^^^^^^^^^^^^^^^
Usually, all of the zone's authoritative servers are listed in NS
records in the parent zone. These NS records constitute a *delegation*
of the zone from the parent. The authoritative servers are also listed
in the zone file itself, at the *top level* or *apex* of the zone.
Servers that are not in the parent's NS delegation can be listed in the
zone's top-level NS records, but servers that are not present at the
zone's top level cannot be listed in the parent's delegation.
A *stealth server* is a server that is authoritative for a zone but is
not listed in that zone's NS records. Stealth servers can be used for
keeping a local copy of a zone, to speed up access to the zone's records
or to make sure that the zone is available even if all the "official"
servers for the zone are inaccessible.
A configuration where the primary server itself is a stealth
server is often referred to as a "hidden primary" configuration. One use
for this configuration is when the primary is behind a firewall
and is therefore unable to communicate directly with the outside world.
.. _cache_servers:
Caching Name Servers
~~~~~~~~~~~~~~~~~~~~
The resolver libraries provided by most operating systems are *stub
resolvers*, meaning that they are not capable of performing the full DNS
resolution process by themselves by talking directly to the
authoritative servers. Instead, they rely on a local name server to
perform the resolution on their behalf. Such a server is called a
*recursive* name server; it performs *recursive lookups* for local
clients.
To improve performance, recursive servers cache the results of the
lookups they perform. Since the processes of recursion and caching are
intimately connected, the terms *recursive server* and *caching server*
are often used synonymously.
The length of time for which a record may be retained in the cache of a
caching name server is controlled by the Time-To-Live (TTL) field
associated with each resource record.
.. _forwarder:
Forwarding
^^^^^^^^^^
Even a caching name server does not necessarily perform the complete
recursive lookup itself. Instead, it can *forward* some or all of the
queries that it cannot satisfy from its cache to another caching name
server, commonly referred to as a *forwarder*.
Forwarders are typically used when an administrator does not wish for
all the servers at a given site to interact directly with the rest of
the Internet. For example, a common scenario is when multiple internal
DNS servers are behind an Internet firewall. Servers behind the firewall
forward their requests to the server with external access, which queries
Internet DNS servers on the internal servers' behalf.
Another scenario (largely now superseded by Response Policy Zones) is to
send queries first to a custom server for RBL processing before
forwarding them to the wider Internet.
There may be one or more forwarders in a given setup. The order in which
the forwarders are listed in :iscman:`named.conf` does not determine the
sequence in which they are queried; rather, :iscman:`named` uses the response
times from previous queries to select the server that is likely to
respond the most quickly. A server that has not yet been queried is
given an initial small random response time to ensure that it is tried
at least once. Dynamic adjustment of the recorded response times ensures
that all forwarders are queried, even those with slower response times.
This permits changes in behavior based on server responsiveness.
.. _multi_role:
Name Servers in Multiple Roles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The BIND name server can simultaneously act as a primary for some zones,
a secondary for other zones, and as a caching (recursive) server for a set
of local clients.
However, since the functions of authoritative name service and
caching/recursive name service are logically separate, it is often
advantageous to run them on separate server machines. A server that only
provides authoritative name service (an *authoritative-only* server) can
run with recursion disabled, improving reliability and security. A
server that is not authoritative for any zones and only provides
recursive service to local clients (a *caching-only* server) does not
need to be reachable from the Internet at large and can be placed inside
a firewall.

0
doc/arm/logging-categories.rst → doc/arm/logging-categories.inc.rst
View File

6
doc/arm/managed-keys.rst → doc/arm/managed-keys.inc.rst
View File

@@ -12,7 +12,7 @@
.. _rfc5011.support: .. _rfc5011.support:
Dynamic Trust Anchor Management Dynamic Trust Anchor Management
------------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BIND is able to maintain DNSSEC trust anchors using :rfc:`5011` key BIND is able to maintain DNSSEC trust anchors using :rfc:`5011` key
management. This feature allows :iscman:`named` to keep track of changes to management. This feature allows :iscman:`named` to keep track of changes to
@@ -20,7 +20,7 @@ critical DNSSEC keys without any need for the operator to make changes
to configuration files. to configuration files.
Validating Resolver Validating Resolver
~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^
To configure a validating resolver to use :rfc:`5011` to maintain a trust To configure a validating resolver to use :rfc:`5011` to maintain a trust
anchor, configure the trust anchor using a ``trust-anchors`` statement and anchor, configure the trust anchor using a ``trust-anchors`` statement and
@@ -28,7 +28,7 @@ the ``initial-key`` keyword. Information about this can be found in
:ref:`trust-anchors`. :ref:`trust-anchors`.
Authoritative Server Authoritative Server
~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^
To set up an authoritative zone for :rfc:`5011` trust anchor maintenance, To set up an authoritative zone for :rfc:`5011` trust anchor maintenance,
generate two (or more) key signing keys (KSKs) for the zone. Sign the generate two (or more) key signing keys (KSKs) for the zone. Sign the

BIN
doc/arm/name-resolution.dia Normal file
View File

Binary file not shown.

BIN
doc/arm/name-resolution.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

14
doc/arm/pkcs11.rst → doc/arm/pkcs11.inc.rst
View File

@@ -12,7 +12,7 @@
.. _pkcs11: .. _pkcs11:
PKCS#11 (Cryptoki) Support PKCS#11 (Cryptoki) Support
-------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~
Public Key Cryptography Standard #11 (PKCS#11) defines a Public Key Cryptography Standard #11 (PKCS#11) defines a
platform-independent API for the control of hardware security modules platform-independent API for the control of hardware security modules
@@ -32,7 +32,7 @@ OpenSSL instead.
.. _OpenSC: https://github.com/OpenSC/libp11 .. _OpenSC: https://github.com/OpenSC/libp11
Prerequisites Prerequisites
~~~~~~~~~~~~~ ^^^^^^^^^^^^^
See the documentation provided by the HSM vendor for information about See the documentation provided by the HSM vendor for information about
installing, initializing, testing, and troubleshooting the HSM. installing, initializing, testing, and troubleshooting the HSM.
@@ -65,7 +65,7 @@ with BIND.
$ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 $ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2
OpenSSL-based PKCS#11 OpenSSL-based PKCS#11
~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^
OpenSSL-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project. OpenSSL-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project.
@@ -83,7 +83,7 @@ For more detailed howto including the examples, we recommend reading:
https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11 https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11
Using the HSM Using the HSM
~~~~~~~~~~~~~ ^^^^^^^^^^^^^
The canonical documentation for configuring engine_pkcs11 is in the The canonical documentation for configuring engine_pkcs11 is in the
`libp11/README.md`_, but here's copy of working configuration for `libp11/README.md`_, but here's copy of working configuration for
@@ -132,7 +132,7 @@ Add following lines at the bottom of the file:
init = 0 init = 0
Key Generation Key Generation
~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^
HSM keys can now be created and used. We are going to assume that you already HSM keys can now be created and used. We are going to assume that you already
have a BIND 9 installed, either from a package, or from the sources, and the have a BIND 9 installed, either from a package, or from the sources, and the
@@ -213,7 +213,7 @@ this is when creating ECDSA keys, you should specify a unique ID:
Specifying the Engine on the Command Line Specifying the Engine on the Command Line
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When using OpenSSL-based PKCS#11, the "engine" to be used by OpenSSL can be When using OpenSSL-based PKCS#11, the "engine" to be used by OpenSSL can be
specified in :iscman:`named` and all of the BIND ``dnssec-*`` tools by using the ``-E specified in :iscman:`named` and all of the BIND ``dnssec-*`` tools by using the ``-E
@@ -228,7 +228,7 @@ provide the name of the OpenSSL engine using the -E command line option.
dnssec-signzone -E pkcs11 -S -o example.net example.net dnssec-signzone -E pkcs11 -S -o example.net example.net
Running :iscman:`named` With Automatic Zone Re-signing Running :iscman:`named` With Automatic Zone Re-signing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The zone can also be signed automatically by named. Again, we need to provide The zone can also be signed automatically by named. Again, we need to provide
the name of the OpenSSL engine using the :option:`-E <named -E>` command line option. the name of the OpenSSL engine using the :option:`-E <named -E>` command line option.

37
doc/arm/platforms.rst → doc/arm/platforms.inc.rst
View File

@@ -14,7 +14,7 @@
Supported Platforms Supported Platforms
------------------- -------------------
Current support status of various platforms and BIND 9 versions can be The current support status of BIND 9 versions across various platforms can be
found in the ISC Knowledgebase: found in the ISC Knowledgebase:
https://kb.isc.org/docs/supported-platforms https://kb.isc.org/docs/supported-platforms
@@ -27,22 +27,22 @@ the :ref:`required libraries <build_dependencies>`.
The following C11 features are used in BIND 9: The following C11 features are used in BIND 9:
- Atomic operations support, either in the form of C11 atomics or - Atomic operations support, either in the form of C11 atomics or
``__atomic`` builtin operations. **__atomic** builtin operations.
- Thread Local Storage support, either in the form of C11 - Thread Local Storage support, either in the form of C11
``_Thread_local``/``thread_local``, or the ``__thread`` GCC **_Thread_local**/**thread_local**, or the **__thread** GCC
extension. extension.
The C11 variants are preferred. The C11 variants are preferred.
ISC regularly tests BIND on many operating systems and architectures, ISC regularly tests BIND on many operating systems and architectures,
but lacks the resources to test all of them. Consequently, ISC is only but lacks the resources to test all of them. Consequently, ISC is only
able to offer support on a “best effort” basis for some. able to offer support on a “best-effort” basis for some.
Regularly tested platforms Regularly Tested Platforms
~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~
As of Jan 2022, BIND 9.19 is fully supported and regularly tested on the As of April 2022, current versions of BIND 9 are fully supported and regularly tested on the
following systems: following systems:
- Debian 9, 10, 11 - Debian 9, 10, 11
@@ -53,10 +53,10 @@ following systems:
- OpenBSD 7.0 - OpenBSD 7.0
- Alpine Linux 3.15 - Alpine Linux 3.15
The amd64, i386, armhf and arm64 CPU architectures are all fully The amd64, i386, armhf, and arm64 CPU architectures are all fully
supported. supported.
Best effort Best-Effort
~~~~~~~~~~~ ~~~~~~~~~~~
The following are platforms on which BIND is known to build and run. ISC The following are platforms on which BIND is known to build and run. ISC
@@ -77,11 +77,11 @@ regularly by ISC.
- OpenWRT/LEDE 17.01+ - OpenWRT/LEDE 17.01+
- Other CPU architectures (mips, mipsel, sparc, …) - Other CPU architectures (mips, mipsel, sparc, …)
Community maintained Community-Maintained
~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
These systems may not all have the required dependencies for building These systems may not all have the required dependencies for building
BIND easily available, although it will be possible in many cases to BIND easily available, although it is possible in many cases to
compile those directly from source. The community and interested parties compile those directly from source. The community and interested parties
may wish to help with maintenance, and we welcome patch contributions, may wish to help with maintenance, and we welcome patch contributions,
although we cannot guarantee that we will accept them. All contributions although we cannot guarantee that we will accept them. All contributions
@@ -98,13 +98,22 @@ supported platforms.
Unsupported Platforms Unsupported Platforms
--------------------- ---------------------
These are platforms on which BIND 9.19 is known *not* to build or run: These are platforms on which current versions of BIND 9 are known *not* to build or run:
- Platforms without at least OpenSSL 1.0.2 - Platforms without at least OpenSSL 1.0.2
- Windows - Windows
- Solaris 10 and older - Solaris 10 and older
- Platforms that dont support IPv6 Advanced Socket API (RFC 3542) - Platforms that do not support IPv6 Advanced Socket API (RFC 3542)
- Platforms that dont support atomic operations (via compiler or - Platforms that do not support atomic operations (via compiler or
library) library)
- Linux without NPTL (Native POSIX Thread Library) - Linux without NPTL (Native POSIX Thread Library)
- Platforms on which ``libuv`` cannot be compiled - Platforms on which **libuv** cannot be compiled
Installing BIND 9
-----------------
:ref:`build_bind` contains complete instructions for how to build BIND 9.
The ISC `Knowledgebase <https://kb.isc.org/>`_ contains many useful articles about installing
BIND 9 on specific platforms.

2
doc/arm/plugins.rst → doc/arm/plugins.inc.rst
View File

@@ -12,7 +12,7 @@
.. _module-info: .. _module-info:
Plugins Plugins
------- ~~~~~~~
Plugins are a mechanism to extend the functionality of :iscman:`named` using Plugins are a mechanism to extend the functionality of :iscman:`named` using
dynamically loadable libraries. By using plugins, core server dynamically loadable libraries. By using plugins, core server

BIN
doc/arm/primary-secondary.dia Normal file
View File

Binary file not shown.

BIN
doc/arm/primary-secondary.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
doc/arm/recursive-query.dia Normal file
View File

Binary file not shown.

BIN
doc/arm/recursive-query.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

478
doc/arm/reference.rst
View File

@@ -9,10 +9,10 @@
.. See the COPYRIGHT file distributed with this work for additional .. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership. .. information regarding copyright ownership.
.. Reference: .. _reference:
BIND 9 Configuration Reference Configuration Reference
============================== =======================
.. _configuration_file_elements: .. _configuration_file_elements:
@@ -245,7 +245,7 @@ line, as in C++ comments. For example:
in a zone file. The semicolon indicates the end of a in a zone file. The semicolon indicates the end of a
configuration statement. configuration statement.
.. _Configuration_File_Grammar: .. _configuration_file_grammar:
Configuration File Grammar Configuration File Grammar
-------------------------- --------------------------
@@ -284,6 +284,8 @@ The following statements are supported:
``parental-agents`` ``parental-agents``
Defines a named list of servers for inclusion in primary and secondary zones' ``parental-agents`` lists. Defines a named list of servers for inclusion in primary and secondary zones' ``parental-agents`` lists.
.. _primaries:
``primaries`` ``primaries``
Defines a named list of servers for inclusion in stub and secondary zones' ``primaries`` or ``also-notify`` lists. (Note: this is a synonym for the original keyword ``masters``, which can still be used, but is no longer the preferred terminology.) Defines a named list of servers for inclusion in stub and secondary zones' ``primaries`` or ``also-notify`` lists. (Note: this is a synonym for the original keyword ``masters``, which can still be used, but is no longer the preferred terminology.)
@@ -311,6 +313,8 @@ The following statements are supported:
``view`` ``view``
Defines a view. Defines a view.
.. _zone_clause:
``zone`` ``zone``
Defines a zone. Defines a zone.
@@ -586,6 +590,8 @@ handles messages sent to this facility is described in the
version of ``syslog``, which only uses two arguments to the ``openlog()`` version of ``syslog``, which only uses two arguments to the ``openlog()``
function, this clause is silently ignored. function, this clause is silently ignored.
.. _severity:
The ``severity`` clause works like ``syslog``'s "priorities," except The ``severity`` clause works like ``syslog``'s "priorities," except
that they can also be used when writing straight to a file rather that they can also be used when writing straight to a file rather
than using ``syslog``. Messages which are not at least of the severity than using ``syslog``. Messages which are not at least of the severity
@@ -760,7 +766,7 @@ The following are the available categories and brief descriptions of the
types of log information they contain. More categories may be added in types of log information they contain. More categories may be added in
future BIND releases. future BIND releases.
.. include:: logging-categories.rst .. include:: logging-categories.inc.rst
.. _query_errors: .. _query_errors:
@@ -982,6 +988,8 @@ default is used.
administrator's responsibility to ensure that configuration differences in administrator's responsibility to ensure that configuration differences in
different views do not cause disruption with a shared cache. different views do not cause disruption with a shared cache.
.. _directory:
``directory`` ``directory``
This sets the working directory of the server. Any non-absolute pathnames in This sets the working directory of the server. Any non-absolute pathnames in
the configuration file are taken as relative to this directory. the configuration file are taken as relative to this directory.
@@ -1819,9 +1827,11 @@ Boolean Options
unnecessary records are added to the authority or additional unnecessary records are added to the authority or additional
sections. The default is ``no``. sections. The default is ``no``.
.. _notify_st:
``notify`` ``notify``
If set to ``yes`` (the default), DNS NOTIFY messages are sent when a If set to ``yes`` (the default), DNS NOTIFY messages are sent when a
zone the server is authoritative for changes; see :ref:`notify`. zone the server is authoritative for changes; see :ref:`using notify<notify>`.
The messages are sent to the servers listed in the zone's NS records The messages are sent to the servers listed in the zone's NS records
(except the primary server identified in the SOA MNAME field), and to (except the primary server identified in the SOA MNAME field), and to
any servers listed in the ``also-notify`` option. any servers listed in the ``also-notify`` option.
@@ -1845,6 +1855,8 @@ Boolean Options
ultimate primary should be set to still send NOTIFY messages to all the name servers ultimate primary should be set to still send NOTIFY messages to all the name servers
listed in the NS RRset. listed in the NS RRset.
.. _recursion:
``recursion`` ``recursion``
If ``yes``, and a DNS query requests recursion, then the server If ``yes``, and a DNS query requests recursion, then the server
attempts to do all the work required to answer the query. If recursion attempts to do all the work required to answer the query. If recursion
@@ -2310,6 +2322,8 @@ access to the Internet, but wish to look up exterior names anyway.
Forwarding occurs only on those queries for which the server is not Forwarding occurs only on those queries for which the server is not
authoritative and does not have the answer in its cache. authoritative and does not have the answer in its cache.
.. _forward:
``forward`` ``forward``
This option is only meaningful if the forwarders list is not empty. A This option is only meaningful if the forwarders list is not empty. A
value of ``first`` is the default and causes the server to query the value of ``first`` is the default and causes the server to query the
@@ -2317,6 +2331,8 @@ authoritative and does not have the answer in its cache.
server then looks for the answer itself. If ``only`` is server then looks for the answer itself. If ``only`` is
specified, the server only queries the forwarders. specified, the server only queries the forwarders.
.. _forwarders:
``forwarders`` ``forwarders``
This specifies a list of IP addresses to which queries are forwarded. The This specifies a list of IP addresses to which queries are forwarded. The
default is the empty list (no forwarding). Each address in the list can be default is the empty list (no forwarding). Each address in the list can be
@@ -2394,6 +2410,8 @@ for details on how to specify IP address lists.
.. note:: ``allow-query-cache`` is used to specify access to the cache. .. note:: ``allow-query-cache`` is used to specify access to the cache.
.. _allow-query-cache:
``allow-query-cache`` ``allow-query-cache``
This specifies which hosts are allowed to get answers from the cache. If This specifies which hosts are allowed to get answers from the cache. If
``allow-recursion`` is not set, BIND checks to see if the following parameters ``allow-recursion`` is not set, BIND checks to see if the following parameters
@@ -2461,6 +2479,8 @@ for details on how to specify IP address lists.
.. _allow-transfer-access: .. _allow-transfer-access:
.. _allow-transfer:
``allow-transfer`` ``allow-transfer``
This specifies which hosts are allowed to receive zone transfers from the This specifies which hosts are allowed to receive zone transfers from the
server. ``allow-transfer`` may also be specified in the ``zone`` server. ``allow-transfer`` may also be specified in the ``zone``
@@ -2714,6 +2734,8 @@ BIND has mechanisms in place to facilitate zone transfers and set limits
on the amount of load that transfers place on the system. The following on the amount of load that transfers place on the system. The following
options apply to zone transfers. options apply to zone transfers.
.. _also-notify:
``also-notify`` ``also-notify``
This option defines a global list of IP addresses of name servers that are also This option defines a global list of IP addresses of name servers that are also
sent NOTIFY messages whenever a fresh copy of the zone is loaded, in sent NOTIFY messages whenever a fresh copy of the zone is loaded, in
@@ -3114,6 +3136,8 @@ system.
``reserved-sockets`` ``reserved-sockets``
This option is deprecated and no longer has any effect. This option is deprecated and no longer has any effect.
.. _max-cache-size:
``max-cache-size`` ``max-cache-size``
This sets the maximum amount of memory to use for an individual cache This sets the maximum amount of memory to use for an individual cache
database and its associated metadata, in bytes or percentage of total database and its associated metadata, in bytes or percentage of total
@@ -3942,9 +3966,13 @@ away from the infrastructure servers.
This specifies the contact name that appears in the returned SOA record for This specifies the contact name that appears in the returned SOA record for
empty zones. If none is specified, "." is used. empty zones. If none is specified, "." is used.
.. _empty-zones-enable:
``empty-zones-enable`` ``empty-zones-enable``
This enables or disables all empty zones. By default, they are enabled. This enables or disables all empty zones. By default, they are enabled.
.. _disable-empty-zone:
``disable-empty-zone`` ``disable-empty-zone``
This disables individual empty zones. By default, none are disabled. This This disables individual empty zones. By default, none are disabled. This
option can be specified multiple times. option can be specified multiple times.
@@ -5575,6 +5603,8 @@ Here is an example of a typical split DNS setup implemented using
.. _zone_types: .. _zone_types:
.. _type:
Zone Types Zone Types
^^^^^^^^^^ ^^^^^^^^^^
@@ -5828,6 +5858,8 @@ Zone Options
``allow-notify`` ``allow-notify``
See the description of ``allow-notify`` in :ref:`access_control`. See the description of ``allow-notify`` in :ref:`access_control`.
.. _allow-query:
``allow-query`` ``allow-query``
See the description of ``allow-query`` in :ref:`access_control`. See the description of ``allow-query`` in :ref:`access_control`.
@@ -5924,6 +5956,8 @@ Zone Options
.. _file-option: .. _file-option:
.. _file:
``file`` ``file``
This sets the zone's filename. In ``primary``, ``hint``, and ``redirect`` This sets the zone's filename. In ``primary``, ``hint``, and ``redirect``
zones which do not have ``primaries`` defined, zone data is loaded from zones which do not have ``primaries`` defined, zone data is loaded from
@@ -6379,438 +6413,6 @@ An ``in-view`` zone cannot be used as a response policy zone.
An ``in-view`` zone is not intended to reference a ``forward`` zone. An ``in-view`` zone is not intended to reference a ``forward`` zone.
.. _zone_file:
Zone File
---------
.. _types_of_resource_records_and_when_to_use_them:
Types of Resource Records and When to Use Them
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This section, largely borrowed from :rfc:`1034`, describes the concept of a
Resource Record (RR) and explains when each type is used. Since the
publication of :rfc:`1034`, several new RRs have been identified and
implemented in the DNS. These are also included.
Resource Records
^^^^^^^^^^^^^^^^
A domain name identifies a node. Each node has a set of resource
information, which may be empty. The set of resource information
associated with a particular name is composed of separate RRs. The order
of RRs in a set is not significant and need not be preserved by name
servers, resolvers, or other parts of the DNS. However, sorting of
multiple RRs is permitted for optimization purposes: for example, to
specify that a particular nearby server be tried first. See
:ref:`the_sortlist_statement` and :ref:`rrset_ordering`.
The components of a Resource Record are:
owner name
The domain name where the RR is found.
type
An encoded 16-bit value that specifies the type of the resource record.
TTL
The time-to-live of the RR. This field is a 32-bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded.
class
An encoded 16-bit value that identifies a protocol family or an instance of a protocol.
RDATA
The resource data. The format of the data is type- and sometimes class-specific.
For a complete list of *types* of valid RRs, including those that have been obsoleted, please refer to https://en.wikipedia.org/wiki/List_of_DNS_record_types.
The following *classes* of resource records are currently valid in the
DNS:
IN
The Internet.
CH
Chaosnet, a LAN protocol created at MIT in the mid-1970s. It was rarely used for its historical purpose, but was reused for BIND's built-in server information zones, e.g., ``version.bind``.
HS
Hesiod, an information service developed by MIT's Project Athena. It was used to share information about various systems databases, such as users, groups, printers, etc.
The owner name is often implicit, rather than forming an integral part
of the RR. For example, many name servers internally form tree or hash
structures for the name space, and chain RRs off nodes. The remaining RR
parts are the fixed header (type, class, TTL), which is consistent for
all RRs, and a variable part (RDATA) that fits the needs of the resource
being described.
The TTL field is a time limit on how long an RR can be
kept in a cache. This limit does not apply to authoritative data in
zones; that also times out, but follows the refreshing policies for the
zone. The TTL is assigned by the administrator for the zone where the
data originates. While short TTLs can be used to minimize caching, and a
zero TTL prohibits caching, the realities of Internet performance
suggest that these times should be on the order of days for the typical
host. If a change is anticipated, the TTL can be reduced prior to
the change to minimize inconsistency, and then
increased back to its former value following the change.
The data in the RDATA section of RRs is carried as a combination of
binary strings and domain names. The domain names are frequently used as
"pointers" to other data in the DNS.
.. _rr_text:
Textual Expression of RRs
^^^^^^^^^^^^^^^^^^^^^^^^^
RRs are represented in binary form in the packets of the DNS protocol,
and are usually represented in highly encoded form when stored in a name
server or resolver. In the examples provided in :rfc:`1034`, a style
similar to that used in primary files was employed in order to show the
contents of RRs. In this format, most RRs are shown on a single line,
although continuation lines are possible using parentheses.
The start of the line gives the owner of the RR. If a line begins with a
blank, then the owner is assumed to be the same as that of the previous
RR. Blank lines are often included for readability.
Following the owner are listed the TTL, type, and class of the RR. Class
and type use the mnemonics defined above, and TTL is an integer before
the type field. To avoid ambiguity in parsing, type and class
mnemonics are disjoint, TTLs are integers, and the type mnemonic is
always last. The IN class and TTL values are often omitted from examples
in the interest of clarity.
The resource data or RDATA section of the RR is given using knowledge
of the typical representation for the data.
For example, the RRs carried in a message might be shown as:
+---------------------+---------------+--------------------------------+
| ``ISI.EDU.`` | ``MX`` | ``10 VENERA.ISI.EDU.`` |
+---------------------+---------------+--------------------------------+
| | ``MX`` | ``10 VAXA.ISI.EDU`` |
+---------------------+---------------+--------------------------------+
| ``VENERA.ISI.EDU`` | ``A`` | ``128.9.0.32`` |
+---------------------+---------------+--------------------------------+
| | ``A`` | ``10.1.0.52`` |
+---------------------+---------------+--------------------------------+
| ``VAXA.ISI.EDU`` | ``A`` | ``10.2.0.27`` |
+---------------------+---------------+--------------------------------+
| | ``A`` | ``128.9.0.33`` |
+---------------------+---------------+--------------------------------+
The MX RRs have an RDATA section which consists of a 16-bit number
followed by a domain name. The address RRs use a standard IP address
format to contain a 32-bit Internet address.
The above example shows six RRs, with two RRs at each of three domain
names.
Here is another possible example:
+----------------------+---------------+-------------------------------+
| ``XX.LCS.MIT.EDU.`` | ``IN A`` | ``10.0.0.44`` |
+----------------------+---------------+-------------------------------+
| | ``CH A`` | ``MIT.EDU. 2420`` |
+----------------------+---------------+-------------------------------+
This shows two addresses for ``XX.LCS.MIT.EDU``, each of a
different class.
.. _mx_records:
Discussion of MX Records
~~~~~~~~~~~~~~~~~~~~~~~~
As described above, domain servers store information as a series of
resource records, each of which contains a particular piece of
information about a given domain name (which is usually, but not always,
a host). The simplest way to think of an RR is as a typed pair of data, a
domain name matched with a relevant datum and stored with some
additional type information, to help systems determine when the RR is
relevant.
MX records are used to control delivery of email. The data specified in
the record is a priority and a domain name. The priority controls the
order in which email delivery is attempted, with the lowest number
first. If two priorities are the same, a server is chosen randomly. If
no servers at a given priority are responding, the mail transport agent
falls back to the next largest priority. Priority numbers do not
have any absolute meaning; they are relevant only respective to other
MX records for that domain name. The domain name given is the machine to
which the mail is delivered. It *must* have an associated address
record (A or AAAA); CNAME is not sufficient.
For a given domain, if there is both a CNAME record and an MX record,
the MX record is in error and is ignored. Instead, the mail is
delivered to the server specified in the MX record pointed to by the
CNAME. For example:
+------------------------+--------+--------+--------------+------------------------+
| ``example.com.`` | ``IN`` | ``MX`` | ``10`` | ``mail.example.com.`` |
+------------------------+--------+--------+--------------+------------------------+
| | ``IN`` | ``MX`` | ``10`` | ``mail2.example.com.`` |
+------------------------+--------+--------+--------------+------------------------+
| | ``IN`` | ``MX`` | ``20`` | ``mail.backup.org.`` |
+------------------------+--------+--------+--------------+------------------------+
| ``mail.example.com.`` | ``IN`` | ``A`` | ``10.0.0.1`` | |
+------------------------+--------+--------+--------------+------------------------+
| ``mail2.example.com.`` | ``IN`` | ``A`` | ``10.0.0.2`` | |
+------------------------+--------+--------+--------------+------------------------+
Mail delivery is attempted to ``mail.example.com`` and
``mail2.example.com`` (in any order); if neither of those succeeds,
delivery to ``mail.backup.org`` is attempted.
.. _Setting_TTLs:
Setting TTLs
~~~~~~~~~~~~
The time-to-live (TTL) of the RR field is a 32-bit integer represented in
units of seconds, and is primarily used by resolvers when they cache
RRs. The TTL describes how long an RR can be cached before it should be
discarded. The following three types of TTLs are currently used in a zone
file.
SOA
The last field in the SOA is the negative caching TTL. This controls how long other servers cache no-such-domain (NXDOMAIN) responses from this server.
The maximum time for negative caching is 3 hours (3h).
$TTL
The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.
RR TTLs
Each RR can have a TTL as the second field in the RR, which controls how long other servers can cache it.
All of these TTLs default to units of seconds, though units can be
explicitly specified: for example, ``1h30m``.
.. _ipv4_reverse:
Inverse Mapping in IPv4
~~~~~~~~~~~~~~~~~~~~~~~
Reverse name resolution (that is, translation from IP address to name)
is achieved by means of the ``in-addr.arpa`` domain and PTR records.
Entries in the in-addr.arpa domain are made in least-to-most significant
order, read left to right. This is the opposite order to the way IP
addresses are usually written. Thus, a machine with an IP address of
10.1.2.3 would have a corresponding in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose
data field is the name of the machine or, optionally, multiple PTR
records if the machine has more than one name. For example, in the
``example.com`` domain:
+--------------+-------------------------------------------------------+
| ``$ORIGIN`` | ``2.1.10.in-addr.arpa`` |
+--------------+-------------------------------------------------------+
| ``3`` | ``IN PTR foo.example.com.`` |
+--------------+-------------------------------------------------------+
.. note::
The ``$ORIGIN`` line in this example is only to provide context;
it does not necessarily appear in the actual
usage. It is only used here to indicate that the example is
relative to the listed origin.
.. _zone_directives:
Other Zone File Directives
~~~~~~~~~~~~~~~~~~~~~~~~~~
The DNS "master file" format was initially defined in :rfc:`1035` and has
subsequently been extended. While the format itself is class-independent,
all records in a zone file must be of the same class.
Master file directives include ``$ORIGIN``, ``$INCLUDE``, and ``$TTL.``
.. _atsign:
The ``@`` (at-sign)
^^^^^^^^^^^^^^^^^^^
When used in the label (or name) field, the asperand or at-sign (@)
symbol represents the current origin. At the start of the zone file, it
is the <``zone_name``>, followed by a trailing dot (.).
.. _origin_directive:
The ``$ORIGIN`` Directive
^^^^^^^^^^^^^^^^^^^^^^^^^
Syntax: ``$ORIGIN`` domain-name [comment]
``$ORIGIN`` sets the domain name that is appended to any
unqualified records. When a zone is first read, there is an implicit
``$ORIGIN`` <``zone_name``>``.``; note the trailing dot. The
current ``$ORIGIN`` is appended to the domain specified in the
``$ORIGIN`` argument if it is not absolute.
::
$ORIGIN example.com.
WWW CNAME MAIN-SERVER
is equivalent to
::
WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
.. _include_directive:
The ``$INCLUDE`` Directive
^^^^^^^^^^^^^^^^^^^^^^^^^^
Syntax: ``$INCLUDE`` filename [origin] [comment]
This reads and processes the file ``filename`` as if it were included in the
file at this point. The ``filename`` can be an absolute path, or a relative
path. In the latter case it is read from :iscman:`named`'s working directory. If
``origin`` is specified, the file is processed with ``$ORIGIN`` set to that
value; otherwise, the current ``$ORIGIN`` is used.
The origin and the current domain name revert to the values they had
prior to the ``$INCLUDE`` once the file has been read.
.. note::
:rfc:`1035` specifies that the current origin should be restored after
an ``$INCLUDE``, but it is silent on whether the current domain name
should also be restored. BIND 9 restores both of them. This could be
construed as a deviation from :rfc:`1035`, a feature, or both.
.. _ttl_directive:
The ``$TTL`` Directive
^^^^^^^^^^^^^^^^^^^^^^
Syntax: ``$TTL`` default-ttl [comment]
This sets the default Time-To-Live (TTL) for subsequent records with undefined
TTLs. Valid TTLs are of the range 0-2147483647 seconds.
``$TTL`` is defined in :rfc:`2308`.
.. _generate_directive:
BIND Primary File Extension: the ``$GENERATE`` Directive
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Syntax: ``$GENERATE`` range lhs [ttl] [class] type rhs [comment]
``$GENERATE`` is used to create a series of resource records that only
differ from each other by an iterator. ``$GENERATE`` can be used to
easily generate the sets of records required to support sub-/24 reverse
delegations described in :rfc:`2317`.
::
$ORIGIN 0.0.192.IN-ADDR.ARPA.
$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
$GENERATE 1-127 $ CNAME $.0
is equivalent to
::
0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
...
127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
Both generate a set of A and MX records. Note the MX's right-hand side is a
quoted string. The quotes are stripped when the right-hand side is
processed.
::
$ORIGIN EXAMPLE.
$GENERATE 1-127 HOST-$ A 1.2.3.$
$GENERATE 1-127 HOST-$ MX "0 ."
is equivalent to
::
HOST-1.EXAMPLE. A 1.2.3.1
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
...
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
``range``
This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. "start", "stop", and "step" must be positive integers between 0 and (2^31)-1. "start" must not be larger than "stop".
``owner``
This describes the owner name of the resource records to be created. Any single ``$`` (dollar sign) symbols within the ``owner`` string are replaced by the iterator value. To get a ``$`` in the output, escape the ``$`` using a backslash ``\``, e.g., ``\$``. The ``$`` may optionally be followed by modifiers which change the offset from the iterator, field width, and base.
Modifiers are introduced by a ``{`` (left brace) immediately following the ``$``, as in ``${offset[,width[,base]]}``. For example, ``${-20,3,d}`` subtracts 20 from the current value and prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (``d``), octal (``o``), hexadecimal (``x`` or ``X`` for uppercase), and nibble (``n`` or ``N`` for uppercase).
The default modifier is ``${0,0,d}``. If the ``owner`` is not absolute, the current ``$ORIGIN`` is appended to the name.
In nibble mode, the value is treated as if it were a reversed hexadecimal string, with each hexadecimal digit as a separate label. The width field includes the label separator.
For compatibility with earlier versions, ``$$`` is still recognized as indicating a literal $ in the output.
``ttl``
This specifies the time-to-live of the generated records. If not specified, this is inherited using the normal TTL inheritance rules.
``class`` and ``ttl`` can be entered in either order.
``class``
This specifies the class of the generated records. This must match the zone class if it is specified.
``class`` and ``ttl`` can be entered in either order.
``type``
This can be any valid type.
``rdata``
This is a string containing the RDATA of the resource record to be created. It may be quoted if there are spaces in the string; the quotation marks do not appear in the generated record.
The ``$GENERATE`` directive is a BIND extension and not part of the
standard zone file format.
.. _zonefile_format:
Additional File Formats
~~~~~~~~~~~~~~~~~~~~~~~
In addition to the standard text format, BIND 9 supports the ability
to read or dump to zone files in other formats.
The ``raw`` format is a binary representation of zone data in a manner
similar to that used in zone transfers. Since it does not require
parsing text, load time is significantly reduced.
For a primary server, a zone file in ``raw`` format is expected
to be generated from a text zone file by the :iscman:`named-compilezone` command.
For a secondary server or a dynamic zone, the zone file is automatically
generated when :iscman:`named` dumps the zone contents after zone transfer or
when applying prior updates, if one of these formats is specified by the
``masterfile-format`` option.
If a zone file in ``raw`` format needs manual modification, it first must
be converted to ``text`` format by the :iscman:`named-compilezone` command,
then converted back after editing. For example:
::
named-compilezone -f raw -F text -o zonefile.text <origin> zonefile.raw
[edit zonefile.text]
named-compilezone -f text -F raw -o zonefile.raw <origin> zonefile.text
.. _statistics: .. _statistics:

10
doc/arm/requirements.rst → doc/arm/requirements.inc.rst
View File

@@ -9,10 +9,10 @@
.. See the COPYRIGHT file distributed with this work for additional .. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership. .. information regarding copyright ownership.
.. _Requirements: .. _requirements:
BIND Resource Requirements Resource Requirements
========================== =====================
.. _hw_req: .. _hw_req:
@@ -45,7 +45,7 @@ Memory Requirements
------------------- -------------------
Server memory must be sufficient to hold both the cache and the Server memory must be sufficient to hold both the cache and the
zones loaded from disk. The ``max-cache-size`` option can zones loaded from disk. The :ref:`max-cache-size<max-cache-size>` option can
limit the amount of memory used by the cache, at the expense of reducing limit the amount of memory used by the cache, at the expense of reducing
cache hit rates and causing more DNS traffic. It is still good practice cache hit rates and causing more DNS traffic. It is still good practice
to have enough memory to load all zone and cache data into memory; to have enough memory to load all zone and cache data into memory;
@@ -70,5 +70,3 @@ much memory or CPU power as in the first alternative, but this has the
disadvantage of making many more external queries, as none of the name disadvantage of making many more external queries, as none of the name
servers share their cached data. servers share their cached data.
.. include:: platforms.rst
.. include:: build.rst

BIN
doc/arm/resolver-forward.dia Normal file
View File

Binary file not shown.

BIN
doc/arm/resolver-forward.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

782
doc/arm/rpz.inc.rst Normal file
View File

@@ -0,0 +1,782 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight:: none
.. dns_firewalls_rpz:
DNS Firewalls and Response Policy Zones
---------------------------------------
A DNS firewall examines DNS traffic and allows some responses to pass
through while blocking others. This examination can be based on several
criteria, including the name requested, the data (such as an IP address)
associated with that name, or the name or IP address of the name server
that is authoritative for the requested name. Based on these criteria, a
DNS firewall can be configured to discard, modify, or replace the original
response, allowing administrators more control over what systems can access
or be accessed from their networks.
DNS Response Policy Zones (RPZ) are a form of DNS firewall in which the
firewall rules are expressed within the DNS itself - encoded in an open,
vendor-neutral format as records in specially constructed DNS zones.
Using DNS zones to configure policy allows policy to be shared from
one server to another using the standard DNS zone transfer mechanism.
This allows a DNS operator to maintain their own firewall policies and
share them easily amongst their internal name servers, or to subscribe to
external firewall policies such as commercial or cooperative "threat
feeds," or both.
:iscman:`named` can subscribe to up to 64 Response Policy Zones, each of which
encodes a separate policy rule set. Each rule is stored in a DNS resource
record set (RRset) within the RPZ, and consists of a **trigger** and an
**action**. There are four types of triggers and four types of actions.
A response policy rule in a DNS RPZ can be triggered as follows:
- by the query name
- by an address which would be present in a truthful response
- by the name or address of an authoritative name server responsible for
publishing the original response
A response policy action can be one of the following:
- to synthesize a "domain does not exist" (NXDOMAIN) response
- to synthesize a "name exists but there are no records of the requested
type" (NODATA) response
- to replace/override the response's data with specific data (provided
within the response policy zone)
- to exempt the response from further policy processing
The most common use of a DNS firewall is to "poison" a domain name, IP
address, name server name, or name server IP address. Poisoning is usually
done by forcing a synthetic "domain does not exist" (NXDOMAIN) response.
This means that if an administrator maintains a list of known "phishing"
domains, these names can be made unreachable by customers or end users just
by adding a firewall policy into the recursive DNS server, with a trigger
for each known "phishing" domain, and an action in every case forcing a
synthetic NXDOMAIN response. It is also possible to use a data-replacement
action such as answering for these known "phishing" domains with the name
of a local web server that can display a warning page. Such a web server
would be called a "walled garden."
.. note::
Authoritative name servers can be responsible for many different domains.
If DNS RPZ is used to poison all domains served by some authoritative
name server name or address, the effects can be quite far-reaching. Users
are advised to ensure that such authoritative name servers do not also
serve domains that should not be poisoned.
.. _why_dns_firewall:
Why Use a DNS Firewall?
~~~~~~~~~~~~~~~~~~~~~~~
Criminal and network abuse traffic on the Internet often uses the Domain
Name System (DNS), so protection against these threats should include DNS
firewalling. A DNS firewall can selectively intercept DNS queries for
known network assets including domain names, IP addresses, and name
servers. Interception can mean rewriting a DNS response to direct a web
browser to a "walled garden," or simply making any malicious network assets
invisible and unreachable.
.. _what_dns_firewalls_do:
What Can a DNS Firewall Do?
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Firewalls work by applying a set of rules to a traffic flow, where each
rule consists of a trigger and an action. Triggers determine which messages
within the traffic flow are handled specially, and actions determine what
that special handling is. For a DNS firewall, the traffic flow to be
controlled consists of responses sent by a recursive DNS server to its
end-user clients. Some true responses are not safe for all clients, so the
policy rules in a DNS firewall allow some responses to be intercepted and
replaced with safer content.
.. _rpz_rule_sets:
Creating and Maintaining RPZ Rule Sets
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In DNS RPZ, the DNS firewall policy rule set is stored in a DNS zone, which
is maintained and synchronized using the same tools and methods as for any
other DNS zone. The primary name server for a DNS RPZ may be an internal
server, if an administrator is creating and maintaining their own DNS
policy zone, or it may be an external name server (such as a security
vendor's server), if importing a policy zone published externally. The
primary copy of the DNS firewall policy can be a DNS "zone file" which is
either edited by hand or generated from a database. A DNS zone can also be
edited indirectly using DNS dynamic updates (for example, using the
"nsupdate" shell level utility).
DNS RPZ allows firewall rules to be expressed in a DNS zone format and then
carried to subscribers as DNS data. A recursive DNS server which is capable
of processing DNS RPZ synchronizes these DNS firewall rules using the same
standard DNS tools and protocols used for secondary name service. The DNS
policy information is then promoted to the DNS control plane inside the
customer's DNS resolver, making that server into a DNS firewall.
A security company whose products include threat intelligence feeds can use
a DNS Response Policy Zone (RPZ) as a delivery channel to customers.
Threats can be expressed as known-malicious IP addresses and subnets,
known-malicious domain names, and known-malicious domain name servers. By
feeding this threat information directly into customers' local DNS
resolvers, providers can transform these DNS servers into a distributed DNS
firewall.
When a customer's DNS resolver is connected by a realtime subscription to a
threat intelligence feed, the provider can protect the customer's end users
from malicious network elements (including IP addresses and subnets, domain
names, and name servers) immediately as they are discovered. While it may
take days or weeks to "take down" criminal and abusive infrastructure once
reported, a distributed DNS firewall can respond instantly.
Other distributed TCP/IP firewalls have been on the market for many years,
and enterprise users are now comfortable importing real-time threat
intelligence from their security vendors directly into their firewalls.
This intelligence can take the form of known-malicious IP addresses or
subnets, or of patterns which identify known-malicious email attachments,
file downloads, or web addresses (URLs). In some products it is also
possible to block DNS packets based on the names or addresses they carry.
.. _rpz_limitations:
Limitations of DNS RPZ
~~~~~~~~~~~~~~~~~~~~~~
We're often asked if DNS RPZ could be used to set up redirection to a CDN.
For example, if "mydomain.com" is a normal domain with SOA, NS, MX, TXT
records etc., then if someone sends an A or AAAA query for "mydomain.com",
can we use DNS RPZ on an authoritative nameserver to return "CNAME
mydomain.com.my-cdn-provider.net"?
The problem with this suggestion is that there is no way to CNAME only A
and AAAA queries, not even with RPZ.
The underlying reason is that if the authoritative server answers with a
CNAME, the recursive server making that query will cache the response.
Thereafter (while the CNAME is still in cache), it assumes that there are
no records of any non-CNAME type for the name that was being queried, and
directs subsequent queries for all other types directly to the target name
of the CNAME record.
To be clear, this is not a limitation of RPZ; it is a function of the way
the DNS protocol works. It's simply not possible to use "partial" CNAMES to
help when setting up CDNs because doing this will break other functionality
such as email routing.
Similarly, following the DNS protocol definition, wildcards in the form of
``*.example`` records might behave in unintuitive ways. For a detailed
definition of wildcards in DNS, please see :rfc:`4592`, especially section 2.
.. _dns_firewall_examples:
DNS Firewall Usage Examples
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here are some scenarios in which a DNS firewall might be useful.
Some known threats are based on an IP address or subnet (IP address range).
For example, an analysis may show that all addresses in a "class C" network
are used by a criminal gang for "phishing" web servers. With a DNS firewall
based on DNS RPZ, a firewall policy can be created such as "if a DNS lookup
would result in an address from this class C network, then answer instead
with an NXDOMAIN indication." That simple rule would prevent any end users
inside customers' networks from being able to look up any domain name used
in this phishing attack without having to know in advance what those
names might be.
Other known threats are based on domain names. An analysis may determine
that a certain domain name or set of domain names is being or will shortly
be used for spamming, phishing, or other Internet-based attacks which all
require working domain names. By adding name-triggered rules to a
distributed DNS firewall, providers can protect customers' end users from
any attacks which require them to be able to look up any of these malicious
names. The names can be wildcards (for example, \*.evil.com), and these
wildcards can have exceptions if some domains are not as malicious as
others (if \*.evil.com is bad, then not.evil.com might be an exception).
Alongside growth in electronic crime has come growth of electronic criminal
expertise. Many criminal gangs now maintain their own extensive DNS
infrastructure to support a large number of domain names and a diverse set
of IP addressing resources. Analyses show in many cases that the only truly
fixed assets criminal organizations have are their name servers, which are
by nature slightly less mobile than other network assets. In such cases,
DNS administrators can anchor their DNS firewall policies in the abusive
name server names or name server addresses, and thus protect their
customers' end users from threats where neither the domain name nor the IP
address of that threat is known in advance.
Electronic criminals rely on the full resiliency of DNS just as the rest of
digital society does. By targeting criminal assets at the DNS level we can
deny these criminals the resilience they need. A distributed DNS firewall
can leverage the high skills of a security company to protect a large
number of end users. DNS RPZ, as the first open and vendor-neutral
distributed DNS firewall, can be an effective way to deliver threat
intelligence to customers.
A Real-World Example of DNS RPZ's Value
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The Conficker malware worm (https://en.wikipedia.org/wiki/Conficker) was
first detected in 2008. Although it is no longer an active threat, the
techniques described here can be applied to other DNS threats.
Conficker used a domain generation algorithm (DGA) to choose up to 50,000
command and control domains per day. It would be impractical to create
an RPZ that contains so many domain names and changes so much on a daily
basis. Instead, we can trigger RPZ rules based on the names of the name
servers that are authoritative for the command and control domains, rather
than trying to trigger on each of 50,000 different (daily) query names.
Since the well-known name server names for Conficker's domain names are
never used by nonmalicious domains, it is safe to poison all lookups that
rely on these name servers. Here is an example that achieves this result:
::
$ORIGIN rpz.example.com.
ns.0xc0f1c3a5.com.rpz-nsdname CNAME *.walled-garden.example.com.
ns.0xc0f1c3a5.net.rpz-nsdname CNAME *.walled-garden.example.com.
ns.0xc0f1c3a5.org.rpz-nsdname CNAME *.walled-garden.example.com.
The ``*`` at the beginning of these CNAME target names is special, and it
causes the original query name to be prepended to the CNAME target. So if a
user tries to visit the Conficker command and control domain
http://racaldftn.com.ai/ (which was a valid Conficker command and control
domain name on 19-October-2011), the RPZ-configured recursive name server
will send back this answer:
::
racaldftn.com.ai. CNAME racaldftn.com.ai.walled-garden.example.com.
racaldftn.com.ai.walled-garden.example.com. A 192.168.50.3
This example presumes that the following DNS content has also been created,
which is not part of the RPZ zone itself but is in another domain:
::
$ORIGIN walled-garden.example.com.
* A 192.168.50.3
Assuming that we're running a web server listening on 192.168.50.3 that
always displays a warning message no matter what uniform resource
identifier (URI) is used, the above RPZ configuration will instruct the web
browser of any infected end user to connect to a "server name" consisting
of their original lookup name (racaldftn.com.ai) prepended to the walled
garden domain name (walled-garden.example.com). This is the name that will
appear in the web server's log file, and having the full name in that log
file will facilitate an analysis as to which users are infected with what
virus.
.. _firewall_updates:
Keeping Firewall Policies Updated
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is vital for overall system performance that incremental zone transfers
(see :rfc:`1995`) and real-time change notification (see :rfc:`1996`) be
used to synchronize DNS firewall rule sets between the publisher's primary
copy of the rule set and the subscribers' working copies of the rule set.
If DNS dynamic updates are used to maintain a DNS RPZ rule set, the name
server automatically calculates a stream of deltas for use when sending
incremental zone transfers to the subscribing name servers. Sending a
stream of deltas known as an "incremental zone transfer" or IXFR is
usually much faster than sending the full zone every time it changes, so
it's worth the effort to use an editing method that makes such incremental
transfers possible.
Administrators who edit or periodically regenerate a DNS RPZ rule set and
whose primary name server uses BIND can enable the
``ixfr-from-differences`` option, which tells the primary name server to
calculate the differences between each new zone and the preceding version,
and to make these differences available as a stream of deltas for use in
incremental zone transfers to the subscribing name servers. This will look
something like the following:
.. code-block:: c
options {
// ...
ixfr-from-differences yes;
// ...
};
As mentioned above, the simplest and most common use of a DNS firewall is
to poison domain names known to be purely malicious, by simply making them
disappear. All DNS RPZ rules are expressed as resource record sets
(RRsets), and the way to express a "force a name-does-not-exist condition"
is by adding a CNAME pointing to the root domain (``.``). In practice this
looks like:
::
$ORIGIN rpz.example.com.
malicious1.org CNAME .
*.malicious1.org CNAME .
malicious2.org CNAME .
*.malicious2.org CNAME .
Two things are noteworthy in this example. First, the malicious names are
made relative within the response policy zone. Since there is no trailing
dot following ".org" in the above example, the actual RRsets created within
this response policy zone are, after expansion:
::
malicious1.org.rpz.example.com. CNAME .
*.malicious1.org.rpz.example.com. CNAME .
malicious2.org.rpz.example.com. CNAME .
*.malicious2.org.rpz.example.com. CNAME .
Second, for each name being poisoned, a wildcard name is also listed.
This is because a malicious domain name probably has or may potentially
have malicious subdomains.
In the above example, the relative domain names `malicious1.org` and
`malicious2.org` will match only the real domain names `malicious1.org`
and `malicious2.org`, respectively. The relative domain names
`*.malicious1.org` and `*.malicious2.org` will match any
`subdomain.of.malicious1.org` or `subdomain.of.malicious2.org`,
respectively.
This example forces an NXDOMAIN condition as its policy action, but other
policy actions are also possible.
.. _multiple_rpz_performance:
Performance and Scalability When Using Multiple RPZs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since version 9.10, BIND can be configured to have different response
policies depending on the identity of the querying client and the nature of
the query. To configure BIND response policy, the information is placed
into a zone file whose only purpose is conveying the policy information to
BIND. A zone file containing response policy information is called a
Response Policy Zone, or RPZ, and the mechanism in BIND that uses the
information in those zones is called DNS RPZ.
It is possible to use as many as 64 separate RPZ files in a single instance
of BIND, and BIND is not significantly slowed by such heavy use of RPZ.
(Note: by default, BIND 9.11 only supports up to 32 RPZ files, but this
can be increased to 64 at compile time. All other supported versions of
BIND support 64 by default.)
Each one of the policy zone files can specify policy for as many
different domains as necessary. The limit of 64 is on the number of
independently-specified policy collections and not the number of zones
for which they specify policy.
Policy information from all of the policy zones together are stored in a
special data structure allowing simultaneous lookups across all policy
zones to be performed very rapidly. Looking up a policy rule is
proportional to the logarithm of the number of rules in the largest
single policy zone.
.. _rpz_practical_tips:
Practical Tips for DNS Firewalls and DNS RPZ
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Administrators who subscribe to an externally published DNS policy zone and
who have a large number of internal recursive name servers should create an
internal name server called a "distribution master" (DM). The DM is a
secondary (stealth secondary) name server from the publisher's point of
view; that is, the DM is fetching zone content from the external server.
The DM is also a primary name server from the internal recursive name
servers' point of view: they fetch zone content from the DM. In this
configuration the DM is acting as a gateway between the external publisher
and the internal subscribers.
The primary server must know the unicast listener address of every
subscribing recursive server, and must enumerate all of these addresses as
destinations for real time zone change notification (as described in
:rfc:`1996`). So if an enterprise-wide RPZ is called "rpz.example.com" and
if the unicast listener addresses of four of the subscribing recursive name
servers are 192.0.200.1, 192.0.201.1, 192.0.202.1, and 192.0.203.1, the
primary server's configuration looks like this:
.. code-block:: c
zone "rpz.example.com" {
type primary;
file "primary/rpz.example.com";
notify explicit;
also-notify { 192.0.200.1;
192.0.201.1;
192.0.202.1;
192.0.203.1; };
allow-transfer { 192.0.200.1;
192.0.201.1;
192.0.202.1;
192.0.203.1; };
allow-query { localhost; };
};
Each recursive DNS server that subscribes to the policy zone must be
configured as a secondary server for the zone, and must also be configured
to use the policy zone for local response policy. To subscribe a recursive
name server to a response policy zone where the unicast listener address
of the primary server is 192.0.220.2, the server's configuration should
look like this:
.. code-block:: c
options {
// ...
response-policy {
zone "rpz.example.com";
};
// ...
};
zone "rpz.example.com";
type secondary;
primaries { 192.0.222.2; };
file "secondary/rpz.example.com";
allow-query { localhost; };
allow-transfer { none; };
};
Note that queries are restricted to "localhost," since query access is
never used by DNS RPZ itself, but may be useful to DNS operators for use in
debugging. Transfers should be disallowed to prevent policy information
leaks.
If an organization's business continuity depends on full connectivity with
another company whose ISP also serves some criminal or abusive customers,
it's possible that one or more external RPZ providers that is, security
feed vendors may eventually add some RPZ rules that could hurt a
company's connectivity to its business partner. Users can protect
themselves from this risk by using an internal RPZ in addition to any
external RPZs, and by putting into their internal RPZ some "pass-through"
rules to prevent any policy action from affecting a DNS response that
involves a business partner.
A recursive DNS server can be connected to more than one RPZ, and these are
searched in order. Therefore, to protect a network from dangerous policies
which may someday appear in external RPZ zones, administrators should list
the internal RPZ zones first.
.. code-block:: c
options {
// ...
response-policy {
zone "rpz.example.com";
zone "rpz.security-vendor-1.com";
zone "rpz.security-vendor-2.com";
};
// ...
};
Within an internal RPZ, there need to be rules describing the network
assets of business partners whose communications need to be protected.
Although it is not generally possible to know what domain names they use,
administrators will be aware of what address space they have and perhaps
what name server names they use.
::
$ORIGIN rpz.example.com.
8.0.0.0.10.rpz-ip CNAME rpz-passthru.
16.0.0.45.128.rpz-nsip CNAME rpz-passthru.
ns.partner1.com.rpz-nsdname CNAME rpz-passthru.
ns.partner2.com.rpz-nsdname CNAME rpz-passthru.
Here, we know that answers in address block 10.0.0.0/8 indicate a business
partner, as well as answers involving any name server whose address is in
the 128.45.0.0/16 address block, and answers involving the name servers
whose names are ns.partner1.com or ns.partner2.com.
The above example demonstrates that when matching by answer IP address (the
.rpz-ip owner), or by name server IP address (the .rpz-nsip owner) or by
name server domain name (the .rpz-nsdname owner), the special RPZ marker
(.rpz-ip, .rpz-nsip, or .rpz-nsdname) does not appear as part of the CNAME
target name.
By triggering these rules using the known network assets of a partner,
and using the "pass-through" policy action, no later RPZ processing
(which in the above example refers to the "rpz.security-vendor-1.com" and
"rpz.security-vendor-2.com" policy zones) will have any effect on DNS
responses for partner assets.
.. _walled_garden_ip_address:
Creating a Simple Walled Garden Triggered by IP Address
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It may be the case that the only thing known about an attacker is the IP
address block they are using for their "phishing" web servers. If the
domain names and name servers they use are unknown, but it is known that
every one of their "phishing" web servers is within a small block of IP
addresses, a response can be triggered on all answers that would include
records in this address range, using RPZ rules that look like the following
example:
::
$ORIGIN rpz.example.com.
22.0.212.94.109.rpz-ip CNAME drop.garden.example.com.
*.212.94.109.in-addr.arpa CNAME .
*.213.94.109.in-addr.arpa CNAME .
*.214.94.109.in-addr.arpa CNAME .
*.215.94.109.in-addr.arpa CNAME .
Here, if a truthful answer would include an A (address) RR (resource
record) whose value were within the 109.94.212.0/22 address block, then a
synthetic answer is sent instead of the truthful answer. Assuming the query
is for www.malicious.net, the synthetic answer is:
::
www.malicious.net. CNAME drop.garden.example.com.
drop.garden.example.com. A 192.168.7.89
This assumes that `drop.garden.example.com` has been created as real DNS
content, outside of the RPZ:
::
$ORIGIN example.com.
drop.garden A 192.168.7.89
In this example, there is no "\*" in the CNAME target name, so the original
query name will not be present in the walled garden web server's log file.
This is an undesirable loss of information, and is shown here for example
purposes only.
The above example RPZ rules would also affect address-to-name (also
known as "reverse DNS") lookups for the unwanted addresses. If a mail
or web server receives a connection from an address in the example's
109.94.212.0/22 address block, it will perform a PTR record lookup to
find the domain name associated with that IP address.
This kind of address-to-name translation is usually used for diagnostic or
logging purposes, but it is also common for email servers to reject any
email from IP addresses which have no address-to-name translation. Most
mail from such IP addresses is spam, so the lack of a PTR record here has
some predictive value. By using the "force name-does-not-exist" policy
trigger on all lookups in the PTR name space associated with an address
block, DNS administrators can give their servers a hint that these IP
addresses are probably sending junk.
.. _known_rpz_inconsistency:
A Known Inconsistency in DNS RPZ's NSDNAME and NSIP Rules
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Response Policy Zones define several possible triggers for each rule, and
among these two are known to produce inconsistent results. This is not a
bug; rather, it relates to inconsistencies in the DNS delegation model.
DNS Delegation
^^^^^^^^^^^^^^
In DNS authority data, an NS RRset that is not at the apex of a DNS zone
creates a sub-zone. That sub-zones data is separate from the current (or
"parent") zone, and it can have different authoritative name servers than
the current zone. In this way, the root zone leads to COM, NET, ORG, and so
on, each of which have their own name servers and their own way of managing
their authoritative data. Similarly, ORG has delegations to ISC.ORG and to
millions of other “dot-ORG” zones, each of which can have its own set of
authoritative name servers. In the parlance of the protocol, these NS
RRsets below the apex of a zone are called “delegation points.” An
NS RRset at a delegation point contains a list of authoritative servers
to which the parent zone is delegating authority for all names at or below
the delegation point.
At the apex of every zone there is also an NS RRset. Ideally, this
so-called “apex NS RRset” should be identical to the “delegation point NS
RRset” in the parent zone, but this ideal is not always achieved. In the
real DNS, its almost always easier for a zone administrator to update one
of these NS RRsets than the other, so that one will be correct and the
other out of date. This inconsistency is so common that its been
necessarily rendered harmless: domains that are inconsistent in this way
are less reliable and perhaps slower, but they still function as long as
there is some overlap between each of the NS RRsets and the truth. (“Truth”
in this case refers to the actual set of name servers that are
authoritative for the zone.)
A Quick Review of DNS Iteration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In DNS recursive name servers, an incoming query that cannot be answered
from the local cache is sent to the closest known delegation point for the
query name. For example, if a server is looking up XYZZY.ISC.ORG and it
the name servers for ISC.ORG, then it sends the query to those servers
directly; however, if it has never heard of ISC.ORG before, it must first
send the query to the name servers for ORG (or perhaps even to the root
zone that is the parent of ORG).
When it asks one of the parent name servers, that server will not have an
answer, so it sends a “referral” consisting only of the “delegation point
NS RRset.” Once the server receives this referral, it “iterates” by sending
the same query again, but this time to name servers for a more specific
part of the query name. Eventually this iteration terminates, usually by
getting an answer or a “name error” (NXDOMAIN) from the query names
authoritative server, or by encountering some type of server failure.
When an authoritative server for the query name sends an answer, it has the
option of including a copy of the zones apex NS RRset. If this occurs, the
recursive name server caches this NS RRset, replacing the delegation point
NS RRset that it had received during the iteration process. In the parlance
of the DNS, the delegation point NS RRset is “glue,” meaning
non-authoritative data, or more of a hint than a real truth. On the other
hand, the apex NS RRset is authoritative data, coming as it does from the
zone itself, and it is considered more credible than the “glue.” For this
reason, its a little bit more important that the apex NS RRset be correct
than that the delegation point NS RRset be correct, since the former will
quickly replace the latter, and will be used more often for a longer total
period of time.
Importantly, the authoritative name server need not include its apex NS
RRset in any answers, and recursive name servers do not ordinarily query
directly for this RRset. Therefore it is possible for the apex NS RRset to
be completely wrong without any operational ill-effects, since the wrong
data need not be exposed. Of course, if a query comes in for this NS RRset,
most recursive name servers will forward the query to the zones authority
servers, since its bad form to return “glue” data when asked a specific
question. In these corner cases, bad apex NS RRset data can cause a zone to
become unreachable unpredictably, according to what other queries the
recursive name server has processed.
There is another kind of “glue," for name servers whose names are below
delegation points. If ORG delegates ISC.ORG to NS-EXT.ISC.ORG, the ORG
server needs to know an address for NS-EXT.ISC.ORG and return this address
as part of the delegation response. However, the name-to-address binding
for this name server is only authoritative inside the ISC.ORG zone;
therefore, the A or AAAA RRset given out with the delegation is
non-authoritative “glue,” which is replaced by an authoritative RRset if
one is seen. As with apex NS RRsets, the real A or AAAA RRset is not
automatically queried for by the recursive name server, but is queried for
if an incoming query asks for this RRset.
Enter RPZ
^^^^^^^^^
RPZ has two trigger types that are intended to allow policy zone authors to
target entire groups of domains based on those domains all being served by
the same DNS servers: NSDNAME and NSIP. The NSDNAME and NSIP rules are
matched against the name and IP address (respectively) of the nameservers
of the zone the answer is in, and all of its parent zones. In its default
configuration, BIND actively fetches any missing NS RRsets and address
records. If, in the process of attempting to resolve the names of all of
these delegated server names, BIND receives a SERVFAIL response for any of
the queries, then it aborts the policy rule evaluation and returns SERVFAIL
for the query. This is technically neither a match nor a non-match of the
rule.
Every "." in a fully qualified domain name (FQDN) represents a potential
delegation point. When BIND goes searching for parent zone NS RRsets (and,
in the case of NSIP, their accompanying address records), it has to check
every possible delegation point. This can become a problem for some
specialized pseudo-domains, such as some domain name and network reputation
systems, that have many "." characters in the names. It is further
complicated if that system also has non-compliant DNS servers that silently
drop queries for NS and SOA records. This forces BIND to wait for those
queries to time out before it can finish evaluating the policy rule, even
if this takes longer than a reasonable client typically waits for an answer
(delays of over 60 seconds have been observed).
While both of these cases do involve configurations and/or servers that are
technically "broken," they may still "work" outside of RPZ NSIP and NSDNAME
rules because of redundancy and iteration optimizations.
There are two RPZ options, ``nsip-wait-recurse`` and ``nsdname-wait-recurse``,
that alter BIND's behavior by allowing it to use only those records that
already exist in the cache when evaluating NSIP and NSDNAME rules,
respectively.
Therefore NSDNAME and NSIP rules are unreliable. The rules may be matched
against either the apex NS RRset or the "glue" NS RRset, each with their
associated addresses (that also might or might not be "glue"). Its in the
administrator's interests to discover both the delegation name server names
and addresses, and the apex name server names and authoritative address
records, to ensure correct use of NS and NSIP triggers in RPZ. Even then,
there may be collateral damage to completely unrelated domains that
otherwise "work," just by having NSIP and NSDNAME rules.
.. _rpz_disable_mozilla_doh:
Example: Using RPZ to Disable Mozilla DoH-by-Default
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mozilla announced in September 2019 that they would enable DNS-over-HTTPS
(DoH) for all US-based users of the Firefox browser, sending all their DNS
queries to predefined DoH providers (Cloudflare's 1.1.1.1 service in
particular). This is a concern for some network administrators who do not
want their users' DNS queries to be rerouted unexpectedly. However,
Mozilla provides a mechanism to disable the DoH-by-default setting:
if the Mozilla-owned domain `use-application-dns.net
<https://use-application-dns.net>`_ returns an NXDOMAIN response code, Firefox
will not use DoH.
To accomplish this using RPZ:
1. Create a polizy zone file called ``mozilla.rpz.db`` configured so
that NXDOMAIN will be returned for any query to ``use-application-dns.net``:
::
$TTL 604800
$ORIGIN mozilla.rpz.
@ IN SOA localhost. root.localhost. 1 604800 86400 2419200 604800
@ IN NS localhost.
use-application-dns.net CNAME .
2. Add the zone into the BIND configuration (usually :iscman:`named.conf`):
.. code-block:: c
zone mozilla.rpz {
type primary;
file "/<PATH_TO>/mozilla.rpz.db";
allow-query { localhost; };
};
3. Enable use of the Response Policy Zone for all incoming queries
by adding the ``response-policy`` directive into the ``options {}``
section:
.. code-block:: c
options {
response-policy { zone mozilla.rpz; } break-dnssec yes;
};
4. Reload the configuration and test whether the Response Policy
Zone that was just added is in effect:
.. code-block:: shell-session
# rndc reload
# dig IN A use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER>
# dig IN AAAA use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER>
The response should return NXDOMAIN instead of the list of IP addresses,
and the BIND 9 log should contain lines like this:
.. code-block:: none
09-Sep-2019 18:50:49.439 client @0x7faf8e004a00 ::1#54175 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz
09-Sep-2019 18:50:49.439 client @0x7faf8e007800 127.0.0.1#62915 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz
Note that this is the simplest possible configuration; specific
configurations may be different, especially for administrators who are
already using other response policy zones, or whose servers are configured
with multiple views.

14
doc/arm/security.rst → doc/arm/security.inc.rst
View File

@@ -9,12 +9,14 @@
.. See the COPYRIGHT file distributed with this work for additional .. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership. .. information regarding copyright ownership.
.. Security: .. _security:
BIND 9 Security Considerations Security Configurations
============================== =======================
.. _Access_Control_Lists: .. _file_permissions:
.. _access_Control_Lists:
Access Control Lists Access Control Lists
-------------------- --------------------
@@ -226,3 +228,7 @@ Some sites choose to keep all dynamically updated DNS data in a
subdomain and delegate that subdomain to a separate zone. This way, the subdomain and delegate that subdomain to a separate zone. This way, the
top-level zone containing critical data, such as the IP addresses of top-level zone containing critical data, such as the IP addresses of
public web and mail servers, need not allow dynamic updates at all. public web and mail servers, need not allow dynamic updates at all.
.. _sec_file_transfer:
.. _dns_over_tls:

28
doc/arm/sig0.inc.rst Normal file
View File

@@ -0,0 +1,28 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
SIG(0)
------
BIND partially supports DNSSEC SIG(0) transaction signatures as
specified in :rfc:`2535` and :rfc:`2931`. SIG(0) uses public/private keys to
authenticate messages. Access control is performed in the same manner as with
TSIG keys; privileges can be granted or denied in ACL directives based
on the key name.
When a SIG(0) signed message is received, it is only verified if
the key is known and trusted by the server. The server does not attempt
to recursively fetch or validate the key.
SIG(0) signing of multiple-message TCP streams is not supported.
The only tool shipped with BIND 9 that generates SIG(0) signed messages
is :iscman:`nsupdate`.

40
doc/arm/tkey.inc.rst Normal file
View File

@@ -0,0 +1,40 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
TKEY
----
TKEY (Transaction KEY) is a mechanism for automatically negotiating a
shared secret between two hosts, originally specified in :rfc:`2930`.
There are several TKEY "modes" that specify how a key is to be generated
or assigned. BIND 9 implements only one of these modes: Diffie-Hellman
key exchange. Both hosts are required to have a KEY record with
algorithm DH (though this record is not required to be present in a
zone).
The TKEY process is initiated by a client or server by sending a query
of type TKEY to a TKEY-aware server. The query must include an
appropriate KEY record in the additional section, and must be signed
using either TSIG or SIG(0) with a previously established key. The
server's response, if successful, contains a TKEY record in its
answer section. After this transaction, both participants have
enough information to calculate a shared secret using Diffie-Hellman key
exchange. The shared secret can then be used to sign subsequent
transactions between the two servers.
TSIG keys known by the server, including TKEY-negotiated keys, can be
listed using :option:`rndc tsig-list`.
TKEY-negotiated keys can be deleted from a server using
:option:`rndc tsig-delete`. This can also be done via the TKEY protocol
itself, by sending an authenticated TKEY query specifying the "key
deletion" mode.

2
doc/arm/troubleshooting.rst → doc/arm/troubleshooting.inc.rst
View File

@@ -9,7 +9,7 @@
.. See the COPYRIGHT file distributed with this work for additional .. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership. .. information regarding copyright ownership.
.. Troubleshooting: .. _troubleshooting:
Troubleshooting Troubleshooting
=============== ===============

165
doc/arm/tsig.inc.rst Normal file
View File

@@ -0,0 +1,165 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _tsig:
TSIG
----
TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
messages, originally specified in :rfc:`2845`. It allows DNS messages to be
cryptographically signed using a shared secret. TSIG can be used in any
DNS transaction, as a way to restrict access to certain server functions
(e.g., recursive queries) to authorized clients when IP-based access
control is insufficient or needs to be overridden, or as a way to ensure
message authenticity when it is critical to the integrity of the server,
such as with dynamic UPDATE messages or zone transfers from a primary to
a secondary server.
This section is a guide to setting up TSIG in BIND. It describes the
configuration syntax and the process of creating TSIG keys.
:iscman:`named` supports TSIG for server-to-server communication, and some of
the tools included with BIND support it for sending messages to
:iscman:`named`:
* :ref:`man_nsupdate` supports TSIG via the :option:`-k <nsupdate -k>`, :option:`-l <nsupdate -l>`, and :option:`-y <nsupdate -y>` command-line options, or via the ``key`` command when running interactively.
* :ref:`man_dig` supports TSIG via the :option:`-k <dig -k>` and :option:`-y <dig -y>` command-line options.
Generating a Shared Key
~~~~~~~~~~~~~~~~~~~~~~~
TSIG keys can be generated using the :iscman:`tsig-keygen` command; the output
of the command is a ``key`` directive suitable for inclusion in
:iscman:`named.conf`. The key name, algorithm, and size can be specified by
command-line parameters; the defaults are "tsig-key", HMAC-SHA256, and
256 bits, respectively.
Any string which is a valid DNS name can be used as a key name. For
example, a key to be shared between servers called ``host1`` and ``host2``
could be called "host1-host2.", and this key can be generated using:
::
$ tsig-keygen host1-host2. > host1-host2.key
This key may then be copied to both hosts. The key name and secret must
be identical on both hosts. (Note: copying a shared secret from one
server to another is beyond the scope of the DNS. A secure transport
mechanism should be used: secure FTP, SSL, ssh, telephone, encrypted
email, etc.)
:iscman:`tsig-keygen` can also be run as :iscman:`ddns-confgen`, in which case its
output includes additional configuration text for setting up dynamic DNS
in :iscman:`named`. See :ref:`man_ddns-confgen` for details.
Loading a New Key
~~~~~~~~~~~~~~~~~
For a key shared between servers called ``host1`` and ``host2``, the
following could be added to each server's :iscman:`named.conf` file:
::
key "host1-host2." {
algorithm hmac-sha256;
secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
};
(This is the same key generated above using :iscman:`tsig-keygen`.)
Since this text contains a secret, it is recommended that either
:iscman:`named.conf` not be world-readable, or that the ``key`` directive be
stored in a file which is not world-readable and which is included in
:iscman:`named.conf` via the ``include`` directive.
Once a key has been added to :iscman:`named.conf` and the server has been
restarted or reconfigured, the server can recognize the key. If the
server receives a message signed by the key, it is able to verify
the signature. If the signature is valid, the response is signed
using the same key.
TSIG keys that are known to a server can be listed using the command
:option:`rndc tsig-list`.
Instructing the Server to Use a Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A server sending a request to another server must be told whether to use
a key, and if so, which key to use.
For example, a key may be specified for each server in the ``primaries``
statement in the definition of a secondary zone; in this case, all SOA QUERY
messages, NOTIFY messages, and zone transfer requests (AXFR or IXFR)
are signed using the specified key. Keys may also be specified in
the ``also-notify`` statement of a primary or secondary zone, causing NOTIFY
messages to be signed using the specified key.
Keys can also be specified in a ``server`` directive. Adding the
following on ``host1``, if the IP address of ``host2`` is 10.1.2.3, would
cause *all* requests from ``host1`` to ``host2``, including normal DNS
queries, to be signed using the ``host1-host2.`` key:
::
server 10.1.2.3 {
keys { host1-host2. ;};
};
Multiple keys may be present in the ``keys`` statement, but only the
first one is used. As this directive does not contain secrets, it can be
used in a world-readable file.
Requests sent by ``host2`` to ``host1`` would *not* be signed, unless a
similar ``server`` directive were in ``host2``'s configuration file.
When any server sends a TSIG-signed DNS request, it expects the
response to be signed with the same key. If a response is not signed, or
if the signature is not valid, the response is rejected.
TSIG-Based Access Control
~~~~~~~~~~~~~~~~~~~~~~~~~
TSIG keys may be specified in ACL definitions and ACL directives such as
``allow-query``, ``allow-transfer``, and ``allow-update``. The above key
would be denoted in an ACL element as ``key host1-host2.``
Here is an example of an ``allow-update`` directive using a TSIG key:
::
allow-update { !{ !localnets; any; }; key host1-host2. ;};
This allows dynamic updates to succeed only if the UPDATE request comes
from an address in ``localnets``, *and* if it is signed using the
``host1-host2.`` key.
See :ref:`dynamic_update_policies` for a
discussion of the more flexible ``update-policy`` statement.
Errors
~~~~~~
Processing of TSIG-signed messages can result in several errors:
- If a TSIG-aware server receives a message signed by an unknown key,
the response will be unsigned, with the TSIG extended error code set
to BADKEY.
- If a TSIG-aware server receives a message from a known key but with
an invalid signature, the response will be unsigned, with the TSIG
extended error code set to BADSIG.
- If a TSIG-aware server receives a message with a time outside of the
allowed range, the response will be signed but the TSIG extended
error code set to BADTIME, and the time values will be adjusted so
that the response can be successfully verified.
In all of the above cases, the server returns a response code of
NOTAUTH (not authenticated).

449
doc/arm/zones.inc.rst Normal file
View File

@@ -0,0 +1,449 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _zone_file:
.. _soa_rr:
Zone File
---------
This section, largely borrowed from :rfc:`1034`, describes the concept of a
Resource Record (RR) and explains how to use them.
Resource Records
~~~~~~~~~~~~~~~~
A domain name identifies a node in the DNS tree namespace. Each node has a set of resource
information, which may be empty. The set of resource information
associated with a particular name is composed of separate RRs. The order
of RRs in a set is not significant and need not be preserved by name
servers, resolvers, or other parts of the DNS. However, sorting of
multiple RRs is permitted for optimization purposes: for example, to
specify that a particular nearby server be tried first. See
:ref:`the_sortlist_statement` and :ref:`rrset_ordering`.
The components of a Resource Record are:
.. glossary::
owner name
The domain name where the RR is found.
type
An encoded 16-bit value that specifies the type of the resource record.
For a list of *types* of valid RRs, including those that have been obsoleted, please refer to
`https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4`.
TTL
The time-to-live of the RR. This field is a 32-bit integer in units of seconds,
and is primarily used by resolvers when they cache RRs. The TTL describes how long
a RR can be cached before it should be discarded.
class
An encoded 16-bit value that identifies a protocol family or an instance of a protocol.
RDATA
The resource data. The format of the data is type- and sometimes class-specific.
The following *classes* of resource records are currently valid in the
DNS:
.. glossary::
IN
The Internet. The only widely :term:`class` used today.
CH
Chaosnet, a LAN protocol created at MIT in the mid-1970s. It was rarely used for its historical purpose, but was reused for BIND's built-in server information zones, e.g., **version.bind**.
HS
Hesiod, an information service developed by MIT's Project Athena. It was used to share information about various systems databases, such as users, groups, printers, etc.
The :term:`owner name` is often implicit, rather than forming an integral part
of the RR. For example, many name servers internally form tree or hash
structures for the name space, and chain RRs off nodes. The remaining RR
parts are the fixed header (type, class, TTL), which is consistent for
all RRs, and a variable part (RDATA) that fits the needs of the resource
being described.
The TTL field is a time limit on how long an RR can be
kept in a cache. This limit does not apply to authoritative data in
zones; that also times out, but follows the refreshing policies for the
zone. The TTL is assigned by the administrator for the zone where the
data originates. While short TTLs can be used to minimize caching, and a
zero TTL prohibits caching, the realities of Internet performance
suggest that these times should be on the order of days for the typical
host. If a change is anticipated, the TTL can be reduced prior to
the change to minimize inconsistency, and then
increased back to its former value following the change.
The data in the RDATA section of RRs is carried as a combination of
binary strings and domain names. The domain names are frequently used as
"pointers" to other data in the DNS.
.. _rr_text:
Textual Expression of RRs
^^^^^^^^^^^^^^^^^^^^^^^^^
RRs are represented in binary form in the packets of the DNS protocol,
and are usually represented in highly encoded form when stored in a name
server or resolver. In the examples provided in :rfc:`1034`, a style
similar to that used in primary files was employed in order to show the
contents of RRs. In this format, most RRs are shown on a single line,
although continuation lines are possible using parentheses.
The start of the line gives the owner of the RR. If a line begins with a
blank, then the owner is assumed to be the same as that of the previous
RR. Blank lines are often included for readability.
Following the owner are listed the TTL, type, and class of the RR. Class
and type use the mnemonics defined above, and TTL is an integer before
the type field. To avoid ambiguity in parsing, type and class
mnemonics are disjoint, TTLs are integers, and the type mnemonic is
always last. The IN class and TTL values are often omitted from examples
in the interest of clarity.
The resource data or RDATA section of the RR is given using knowledge
of the typical representation for the data.
For example, the RRs carried in a message might be shown as:
+---------------------+---------------+--------------------------------+
| **ISI.EDU.** | **MX** | **10 VENERA.ISI.EDU.** |
+---------------------+---------------+--------------------------------+
| | **MX** | **10 VAXA.ISI.EDU** |
+---------------------+---------------+--------------------------------+
| **VENERA.ISI.EDU** | **A** | **128.9.0.32** |
+---------------------+---------------+--------------------------------+
| | **A** | **10.1.0.52** |
+---------------------+---------------+--------------------------------+
| **VAXA.ISI.EDU** | **A** | **10.2.0.27** |
+---------------------+---------------+--------------------------------+
| | **A** | **128.9.0.33** |
+---------------------+---------------+--------------------------------+
The MX RRs have an RDATA section which consists of a 16-bit number
followed by a domain name. The address RRs use a standard IP address
format to contain a 32-bit Internet address.
The above example shows six RRs, with two RRs at each of three domain
names.
Here is another possible example:
+----------------------+---------------+-------------------------------+
| **XX.LCS.MIT.EDU.** | **IN A** | **10.0.0.44** |
+----------------------+---------------+-------------------------------+
| | **CH A** | **MIT.EDU. 2420** |
+----------------------+---------------+-------------------------------+
This shows two addresses for **XX.LCS.MIT.EDU**, each of a
different class.
.. _mx_records:
Discussion of MX Records
~~~~~~~~~~~~~~~~~~~~~~~~
As described above, domain servers store information as a series of
resource records, each of which contains a particular piece of
information about a given domain name (which is usually, but not always,
a host). The simplest way to think of an RR is as a typed pair of data, a
domain name matched with a relevant datum and stored with some
additional type information, to help systems determine when the RR is
relevant.
MX records are used to control delivery of email. The data specified in
the record is a priority and a domain name. The priority controls the
order in which email delivery is attempted, with the lowest number
first. If two priorities are the same, a server is chosen randomly. If
no servers at a given priority are responding, the mail transport agent
falls back to the next largest priority. Priority numbers do not
have any absolute meaning; they are relevant only respective to other
MX records for that domain name. The domain name given is the machine to
which the mail is delivered. It *must* have an associated address
record (A or AAAA); CNAME is not sufficient.
For a given domain, if there is both a CNAME record and an MX record,
the MX record is in error and is ignored. Instead, the mail is
delivered to the server specified in the MX record pointed to by the
CNAME. For example:
+------------------------+--------+--------+--------------+------------------------+
| **example.com.** | **IN** | **MX** | **10** | **mail.example.com.** |
+------------------------+--------+--------+--------------+------------------------+
| | **IN** | **MX** | **10** | **mail2.example.com.** |
+------------------------+--------+--------+--------------+------------------------+
| | **IN** | **MX** | **20** | **mail.backup.org.** |
+------------------------+--------+--------+--------------+------------------------+
| **mail.example.com.** | **IN** | **A** | **10.0.0.1** | |
+------------------------+--------+--------+--------------+------------------------+
| **mail2.example.com.** | **IN** | **A** | **10.0.0.2** | |
+------------------------+--------+--------+--------------+------------------------+
Mail delivery is attempted to **mail.example.com** and
**mail2.example.com** (in any order); if neither of those succeeds,
delivery to **mail.backup.org** is attempted.
.. _Setting_TTLs:
Setting TTLs
~~~~~~~~~~~~
The time-to-live (TTL) of the RR field is a 32-bit integer represented in
units of seconds, and is primarily used by resolvers when they cache
RRs. The TTL describes how long an RR can be cached before it should be
discarded. The following three types of TTLs are currently used in a zone
file.
.. glossary::
SOA minimum
The last field in the SOA is the negative caching TTL.
This controls how long other servers cache no-such-domain (NXDOMAIN)
responses from this server. Further details can be found in :rfc:`2308`.
The maximum time for negative caching is 3 hours (3h).
$TTL
The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.
RR TTLs
Each RR can have a TTL as the second field in the RR, which controls how long other servers can cache it.
All of these TTLs default to units of seconds, though units can be
explicitly specified: for example, **1h30m**.
.. _ipv4_reverse:
Inverse Mapping in IPv4
~~~~~~~~~~~~~~~~~~~~~~~
Reverse name resolution (that is, translation from IP address to name)
is achieved by means of the **in-addr.arpa** domain and PTR records.
Entries in the in-addr.arpa domain are made in least-to-most significant
order, read left to right. This is the opposite order to the way IP
addresses are usually written. Thus, a machine with an IP address of
10.1.2.3 would have a corresponding in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose
data field is the name of the machine or, optionally, multiple PTR
records if the machine has more than one name. For example, in the
**example.com** domain:
+--------------+-------------------------------------------------------+
| **$ORIGIN** | **2.1.10.in-addr.arpa** |
+--------------+-------------------------------------------------------+
| **3** | **IN PTR foo.example.com.** |
+--------------+-------------------------------------------------------+
.. note::
The **$ORIGIN** line in this example is only to provide context;
it does not necessarily appear in the actual
usage. It is only used here to indicate that the example is
relative to the listed origin.
.. _zone_directives:
Other Zone File Directives
~~~~~~~~~~~~~~~~~~~~~~~~~~
The DNS "master file" format was initially defined in :rfc:`1035` and has
subsequently been extended. While the format itself is class-independent,
all records in a zone file must be of the same class.
Master file directives include **$ORIGIN**, **$INCLUDE**, and **$TTL.**
.. _atsign:
The **@** (at-sign)
^^^^^^^^^^^^^^^^^^^
When used in the label (or name) field, the asperand or at-sign (@)
symbol represents the current origin. At the start of the zone file, it
is the <**zone_name**>, followed by a trailing dot (.).
.. _origin_directive:
The **$ORIGIN** Directive
^^^^^^^^^^^^^^^^^^^^^^^^^
Syntax: **$ORIGIN** domain-name [comment]
**$ORIGIN** sets the domain name that is appended to any
unqualified records. When a zone is first read, there is an implicit
``$ORIGIN <zone_name>.``; note the trailing dot. The
current **$ORIGIN** is appended to the domain specified in the
**$ORIGIN** argument if it is not absolute.
::
$ORIGIN example.com.
WWW CNAME MAIN-SERVER
is equivalent to
::
WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
.. _include_directive:
The **$INCLUDE** Directive
^^^^^^^^^^^^^^^^^^^^^^^^^^
Syntax: **$INCLUDE** filename [origin] [comment]
This reads and processes the file **filename** as if it were included in the
file at this point. The **filename** can be an absolute path, or a relative
path. In the latter case it is read from :iscman:`named`'s working directory. If
**origin** is specified, the file is processed with **$ORIGIN** set to that
value; otherwise, the current **$ORIGIN** is used.
The origin and the current domain name revert to the values they had
prior to the **$INCLUDE** once the file has been read.
.. note::
:rfc:`1035` specifies that the current origin should be restored after
an **$INCLUDE**, but it is silent on whether the current domain name
should also be restored. BIND 9 restores both of them. This could be
construed as a deviation from :rfc:`1035`, a feature, or both.
.. _ttl_directive:
The **$TTL** Directive
^^^^^^^^^^^^^^^^^^^^^^
Syntax: **$TTL** default-ttl [comment]
This sets the default Time-To-Live (TTL) for subsequent records with undefined
TTLs. Valid TTLs are of the range 0-2147483647 seconds.
**$TTL** is defined in :rfc:`2308`.
.. _generate_directive:
BIND Primary File Extension: the **$GENERATE** Directive
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Syntax: **$GENERATE** range lhs [ttl] [class] type rhs [comment]
**$GENERATE** is used to create a series of resource records that only
differ from each other by an iterator. **$GENERATE** can be used to
easily generate the sets of records required to support sub-/24 reverse
delegations described in :rfc:`2317`.
::
$ORIGIN 0.0.192.IN-ADDR.ARPA.
$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
$GENERATE 1-127 $ CNAME $.0
is equivalent to
::
0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
...
127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
Both generate a set of A and MX records. Note the MX's right-hand side is a
quoted string. The quotes are stripped when the right-hand side is
processed.
::
$ORIGIN EXAMPLE.
$GENERATE 1-127 HOST-$ A 1.2.3.$
$GENERATE 1-127 HOST-$ MX "0 ."
is equivalent to
::
HOST-1.EXAMPLE. A 1.2.3.1
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
...
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
**range**
This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. "start", "stop", and "step" must be positive integers between 0 and (2^31)-1. "start" must not be larger than "stop".
**owner**
This describes the owner name of the resource records to be created. Any single **$** (dollar sign) symbols within the **owner** string are replaced by the iterator value. To get a **$** in the output, escape the **$** using a backslash **\\**, e.g., ``\$``. The **$** may optionally be followed by modifiers which change the offset from the iterator, field width, and base.
Modifiers are introduced by a **{** (left brace) immediately following the **$**, as in **${offset[,width[,base]]}**. For example, **${-20,3,d}** subtracts 20 from the current value and prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (**d**), octal (**o**), hexadecimal (**x** or **X** for uppercase), and nibble (**n** or **N** for uppercase).
The default modifier is **${0,0,d}**. If the **owner** is not absolute, the current **$ORIGIN** is appended to the name.
In nibble mode, the value is treated as if it were a reversed hexadecimal string, with each hexadecimal digit as a separate label. The width field includes the label separator.
For compatibility with earlier versions, **$$** is still recognized as indicating a literal **$** in the output.
**ttl**
This specifies the time-to-live of the generated records. If not specified, this is inherited using the normal TTL inheritance rules.
**class** and **ttl** can be entered in either order.
**class**
This specifies the class of the generated records. This must match the zone class if it is specified.
**class** and **ttl** can be entered in either order.
**type**
This can be any valid type.
**rdata**
This is a string containing the RDATA of the resource record to be created. It may be quoted if there are spaces in the string; the quotation marks do not appear in the generated record.
The **$GENERATE** directive is a BIND extension and not part of the
standard zone file format.
.. _zonefile_format:
Additional File Formats
~~~~~~~~~~~~~~~~~~~~~~~
In addition to the standard text format, BIND 9 supports the ability
to read or dump to zone files in other formats.
The **raw** format is a binary representation of zone data in a manner
similar to that used in zone transfers. Since it does not require
parsing text, load time is significantly reduced.
For a primary server, a zone file in **raw** format is expected
to be generated from a text zone file by the :iscman:`named-compilezone` command.
For a secondary server or a dynamic zone, the zone file is automatically
generated when :iscman:`named` dumps the zone contents after zone transfer or
when applying prior updates, if one of these formats is specified by the
**masterfile-format** option.
If a zone file in **raw** format needs manual modification, it first must
be converted to **text** format by the :iscman:`named-compilezone` command,
then converted back after editing. For example:
::
named-compilezone -f raw -F text -o zonefile.text <origin> zonefile.raw
[edit zonefile.text]
named-compilezone -f text -F raw -o zonefile.raw <origin> zonefile.text

4
doc/dnssec-guide/introduction.rst
View File

@@ -219,7 +219,7 @@ trust one key: the root key.
.. _dnssec_12_steps: .. _dnssec_12_steps:
The 12-Step DNSSEC Validation Process (Simplified) The 12-Step DNSSEC Validation Process (Simplified)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following example shows the 12 steps of the DNSSEC validating process The following example shows the 12 steps of the DNSSEC validating process
at a very high level, looking up the name ``www.isc.org`` : at a very high level, looking up the name ``www.isc.org`` :
@@ -306,7 +306,7 @@ at a very high level, looking up the name ``www.isc.org`` :
.. _chain_of_trust: .. _chain_of_trust:
Chain of Trust Chain of Trust
^^^^^^^^^^^^^^ ~~~~~~~~~~~~~~
But what about the root server itself? Who do we go to verify root's But what about the root server itself? Who do we go to verify root's
keys? There's no parent zone for root. In security, you have to trust keys? There's no parent zone for root. In security, you have to trust

2
util/check-categories.sh
View File

@@ -19,7 +19,7 @@ list1=$(
sort -u sort -u
) )
list2=$( list2=$(
sed -ne 's/^``\(.*\)``/\1/p' doc/arm/logging-categories.rst | sed -ne 's/^``\(.*\)``/\1/p' doc/arm/logging-categories.inc.rst |
sort -u sort -u
) )
status=0 status=0