mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

minor documentation fixes from Jeremy [RT #16855]

Browse Source
This commit is contained in:
Mark Andrews
2007-05-08 00:19:55 +00:00
parent 1f5cf26443
commit 9a8f76e238
1 changed files with 52 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
doc/arm/Bv9ARM-book.xml
View File

@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.319 2007/04/26 06:14:26 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.320 2007/05/08 00:19:55 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@@ -91,8 +91,8 @@
security considerations, and
<emphasis>Section 8</emphasis> contains troubleshooting help. The
main body of the document is followed by several
<emphasis>Appendices</emphasis> which contain useful reference
information, such as a <emphasis>Bibliography</emphasis> and
<emphasis>appendices</emphasis> which contain useful reference
information, such as a <emphasis>bibliography</emphasis> and
historic information related to <acronym>BIND</acronym>
and the Domain Name
System.
@@ -229,8 +229,8 @@
<title>The Domain Name System (<acronym>DNS</acronym>)</title>
<para>
The purpose of this document is to explain the installation
and upkeep of the <acronym>BIND</acronym> software
package, and we
and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
Name Domain) software package, and we
begin by reviewing the fundamentals of the Domain Name System
(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
</para>
@@ -1085,6 +1085,12 @@ zone "eng.example.com" {
(<command>rndc</command>) program allows the
system
administrator to control the operation of a name server.
Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
supports all the commands of the BIND 8 <command>ndc</command>
utility except <command>ndc start</command> and
<command>ndc restart</command>, which were also
not supported in <command>ndc</command>'s
channel mode.
If you run <command>rndc</command> without any
options
it will display a usage message as follows:
@@ -1356,15 +1362,6 @@ zone "eng.example.com" {
</variablelist>
<para>
In <acronym>BIND</acronym> 9.2, <command>rndc</command>
supports all the commands of the BIND 8 <command>ndc</command>
utility except <command>ndc start</command> and
<command>ndc restart</command>, which were also
not supported in <command>ndc</command>'s
channel mode.
</para>
<para>
A configuration file is required, since all
communication with the server is authenticated with
@@ -1758,9 +1755,8 @@ controls {
on the Internet. Split DNS can also be used to allow mail from outside
back in to the internal network.
</para>
<para>
Here is an example of a split DNS setup:
</para>
<sect2>
<title>Example split DNS setup</title>
<para>
Let's say a company named <emphasis>Example, Inc.</emphasis>
(<literal>example.com</literal>)
@@ -1995,6 +1991,7 @@ nameserver 172.16.72.3
nameserver 172.16.72.4
</programlisting>
</sect2>
</sect1>
<sect1 id="tsig">
<title>TSIG</title>
@@ -2193,7 +2190,7 @@ allow-update { key host1-host2. ;};
outside of the allowed range, the response will be signed with
the TSIG extended error code set to BADTIME, and the time values
will be adjusted so that the response can be successfully
verified. In any of these cases, the message's rcode is set to
verified. In any of these cases, the message's rcode (response code) is set to
NOTAUTH (not authenticated).
</para>
@@ -2272,7 +2269,7 @@ allow-update { key host1-host2. ;};
<para>
Cryptographic authentication of DNS information is possible
through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
defined in RFC 4033, RFC 4034 and RFC 4035.
defined in RFC 4033, RFC 4034, and RFC 4035.
This section describes the creation and use of DNSSEC signed zones.
</para>
@@ -2340,7 +2337,7 @@ allow-update { key host1-host2. ;};
<filename>Kchild.example.+005+12345.key</filename> and
<filename>Kchild.example.+005+12345.private</filename>
(where
12345 is an example of a key tag). The key file names contain
12345 is an example of a key tag). The key filenames contain
the key name (<filename>child.example.</filename>),
algorithm (3
is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
@@ -2842,7 +2839,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<entry colname="2">
<para>
An IP port <varname>number</varname>.
<varname>number</varname> is limited to 0
The <varname>number</varname> is limited to 0
through 65535, with values
below 1024 typically restricted to use by processes running
as root.
@@ -3120,7 +3117,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<para>
The <acronym>BIND</acronym> 9 comment syntax allows for
comments to appear
anywhere that white space may appear in a <acronym>BIND</acronym> configuration
anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
file. To appeal to programmers of all kinds, they can be written
in the C, C++, or shell/perl style.
</para>
@@ -3137,7 +3134,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<sect3>
<title>Definition and Usage</title>
<para>
Comments may appear anywhere that white space may appear in
Comments may appear anywhere that whitespace may appear in
a <acronym>BIND</acronym> configuration file.
</para>
<para>
@@ -4207,7 +4204,7 @@ category notify { null; };
</para>
<para>
the query log entry reports the client's IP
The query log entry reports the client's IP
address and port number, and the query name,
class and type. It also reports whether the
Recursion Desired flag was set (+ if set, -
@@ -4303,7 +4300,7 @@ category notify { null; };
The <command>lwres</command> statement configures the
name
server to also act as a lightweight resolver server. (See
<xref linkend="lwresd"/>.) There may be be multiple
<xref linkend="lwresd"/>.) There may be multiple
<command>lwres</command> statements configuring
lightweight resolver servers with different properties.
</para>
@@ -4697,7 +4694,7 @@ category notify { null; };
name server. Specifying <command>pid-file none</command> disables the
use of a PID file &mdash; no file will be written and any
existing one will be removed. Note that <command>none</command>
is a keyword, not a file name, and therefore is not enclosed
is a keyword, not a filename, and therefore is not enclosed
in
double quotes.
</para>
@@ -5326,7 +5323,7 @@ options {
<para>
<emphasis>This option is obsolete</emphasis>.
If you need to disable IXFR to a particular server or
servers see
servers, see
the information on the <command>provide-ixfr</command> option
in <xref linkend="server_statement_definition_and_usage"/>.
See also
@@ -5560,6 +5557,7 @@ options {
<para>
Accept expired signatures when verifying DNSSEC signatures.
The default is <userinput>no</userinput>.
Setting this option to "yes" leaves named vulnerable to replay attacks.
</para>
</listitem>
</varlistentry>
@@ -5603,7 +5601,7 @@ options {
and MX records.
It also applies to the RDATA of PTR records where the owner
name indicated that it is a reverse lookup of a hostname
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT).
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
</para>
</listitem>
</varlistentry>
@@ -5728,7 +5726,8 @@ options {
<listitem>
<para>
Try to refresh the zone using TCP if UDP queries fail.
The default is <command>yes</command>.
For BIND 8 compatibility, the default is
<command>yes</command>.
</para>
</listitem>
</varlistentry>
@@ -5910,6 +5909,12 @@ options {
<command>localnets</command> and
<command>localhost</command>.
</para>
<para>
The way to set query access to the cache is now via
<command>allow-query-cache</command>.
This differs from earlier versions which used
<command>allow-query</command>.
</para>
</listitem>
</varlistentry>
@@ -6819,7 +6824,7 @@ query-source-v6 address * port *;
</para><note>
<simpara>
Not yet implemented in
<acronym>BIND</acronym>9.
<acronym>BIND</acronym> 9.
</simpara>
</note>
</listitem>
@@ -7206,7 +7211,7 @@ query-source-v6 address * port *;
values are 512 to 4096 (values outside this range
will be silently adjusted). The default value is
4096. The usual reason for setting edns-udp-size to
a non-default value it to get UDP answers to pass
a non-default value is to get UDP answers to pass
through broken firewalls that block fragmented
packets and/or block UDP packets that are greater
than 512 bytes.
@@ -7226,6 +7231,8 @@ query-source-v6 address * port *;
answers to pass through broken firewalls that
block fragmented packets and/or block UDP packets
that are greater than 512 bytes.
This is independent of the advertised receive
buffer (<command>edns-udp-size</command>).
</para>
</listitem>
</varlistentry>
@@ -7443,10 +7450,10 @@ query-source-v6 address * port *;
If you are using the address ranges covered here, you should
already have reverse zones covering the addresses you use.
In practice this appears to not be the case with many queries
being made to the infrustructure servers for names in these
being made to the infrastructure servers for names in these
spaces. So many in fact that sacrificial servers were needed
to be deployed to channel the query load away from the
infrustructure servers.
infrastructure servers.
</para>
<note>
The real parent servers for these zones should disable all
@@ -8340,7 +8347,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
numbers (in the
tens or hundreds of thousands) of zones per server, it
is best to
use a two-level naming scheme for zone file names. For
use a two-level naming scheme for zone filenames. For
example,
a slave server for the zone <literal>example.com</literal> might place
the zone contents into a file called
@@ -8806,8 +8813,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<term><command>journal</command></term>
<listitem>
<para>
Allow the default journal's file name to be overridden.
The default is the zone's file with "<filename>.jnl</filename>" appended.
Allow the default journal's filename to be overridden.
The default is the zone's filename with "<filename>.jnl</filename>" appended.
This is applicable to <command>master</command> and <command>slave</command> zones.
</para>
</listitem>
@@ -10566,14 +10573,14 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
<para><command>lhs</command></para>
</entry>
<entry colname="2">
<para><command>lhs</command>
<para>This
describes the owner name of the resource records
to be created. Any single <command>$</command>
(dollar sign)
symbols within the <command>lhs</command> side
are replaced by the iterator value.
To get a $ in the output you need to escape the
To get a $ in the output, you need to escape the
<command>$</command> using a backslash
<command>\</command>,
e.g. <command>\$</command>. The
@@ -10582,7 +10589,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
iterator, field width and base.
Modifiers are introduced by a
<command>{</command> immediately following the
<command>{</command> (left brace) immediately following the
<command>$</command> as
<command>${offset[,width[,base]]}</command>.
For example, <command>${-20,3,d}</command>
@@ -10655,7 +10662,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
</entry>
<entry colname="2">
<para>
A domain name. It is processed
<command>rhs</command> is a domain name. It is processed
similarly to lhs.
</para>
</entry>
@@ -10783,7 +10790,7 @@ zone "example.com" {
</para>
</sect1>
<sect1>
<title><command>chroot</command> and <command>setuid</command></title>
<title><command>Chroot</command> and <command>Setuid</command></title>
<para>
On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
(using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
@@ -10822,7 +10829,7 @@ zone "example.com" {
for this.
</para>
<para>
Unlike with earlier versions of BIND, you will typically
Unlike with earlier versions of BIND, you typically will
<emphasis>not</emphasis> need to compile <command>named</command>
statically nor install shared libraries under the new root.
However, depending on your operating system, you may need
@@ -11045,7 +11052,7 @@ zone "example.com" {
Wolfhugel, and others.
</para>
<para>
<acronym>BIND</acronym> version 4.9.2 was sponsored by
In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
Vixie Enterprises. Paul
Vixie became <acronym>BIND</acronym>'s principal
architect/programmer.
@@ -11079,7 +11086,8 @@ zone "example.com" {
<emphasis>Anycast</emphasis>,
an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
an identifier for a set of interfaces. Here we describe the global
Unicast address scheme. For more information, see RFC 3587.
Unicast address scheme. For more information, see RFC 3587,
"Global Unicast Address Format."
</para>
<para>
IPv6 unicast addresses consist of a