mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-09-01 06:55:30 +00:00
minor documentation fixes from Jeremy [RT #16855]
This commit is contained in:
Mark Andrews
@@ -18,7 +18,7 @@
|
|||||||
- PERFORMANCE OF THIS SOFTWARE.
|
- PERFORMANCE OF THIS SOFTWARE.
|
||||||
-->
|
-->
|
||||||
|
|
||||||
<!-- File: $Id: Bv9ARM-book.xml,v 1.319 2007/04/26 06:14:26 marka Exp $ -->
|
<!-- File: $Id: Bv9ARM-book.xml,v 1.320 2007/05/08 00:19:55 marka Exp $ -->
|
||||||
<book xmlns:xi="http://www.w3.org/2001/XInclude">
|
<book xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||||
<title>BIND 9 Administrator Reference Manual</title>
|
<title>BIND 9 Administrator Reference Manual</title>
|
||||||
|
|
||||||
@@ -91,8 +91,8 @@
|
|||||||
security considerations, and
|
security considerations, and
|
||||||
<emphasis>Section 8</emphasis> contains troubleshooting help. The
|
<emphasis>Section 8</emphasis> contains troubleshooting help. The
|
||||||
main body of the document is followed by several
|
main body of the document is followed by several
|
||||||
<emphasis>Appendices</emphasis> which contain useful reference
|
<emphasis>appendices</emphasis> which contain useful reference
|
||||||
information, such as a <emphasis>Bibliography</emphasis> and
|
information, such as a <emphasis>bibliography</emphasis> and
|
||||||
historic information related to <acronym>BIND</acronym>
|
historic information related to <acronym>BIND</acronym>
|
||||||
and the Domain Name
|
and the Domain Name
|
||||||
System.
|
System.
|
||||||
@@ -229,8 +229,8 @@
|
|||||||
<title>The Domain Name System (<acronym>DNS</acronym>)</title>
|
<title>The Domain Name System (<acronym>DNS</acronym>)</title>
|
||||||
<para>
|
<para>
|
||||||
The purpose of this document is to explain the installation
|
The purpose of this document is to explain the installation
|
||||||
and upkeep of the <acronym>BIND</acronym> software
|
and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
|
||||||
package, and we
|
Name Domain) software package, and we
|
||||||
begin by reviewing the fundamentals of the Domain Name System
|
begin by reviewing the fundamentals of the Domain Name System
|
||||||
(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
|
(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
|
||||||
</para>
|
</para>
|
||||||
@@ -1085,6 +1085,12 @@ zone "eng.example.com" {
|
|||||||
(<command>rndc</command>) program allows the
|
(<command>rndc</command>) program allows the
|
||||||
system
|
system
|
||||||
administrator to control the operation of a name server.
|
administrator to control the operation of a name server.
|
||||||
|
Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
|
||||||
|
supports all the commands of the BIND 8 <command>ndc</command>
|
||||||
|
utility except <command>ndc start</command> and
|
||||||
|
<command>ndc restart</command>, which were also
|
||||||
|
not supported in <command>ndc</command>'s
|
||||||
|
channel mode.
|
||||||
If you run <command>rndc</command> without any
|
If you run <command>rndc</command> without any
|
||||||
options
|
options
|
||||||
it will display a usage message as follows:
|
it will display a usage message as follows:
|
||||||
@@ -1356,15 +1362,6 @@ zone "eng.example.com" {
|
|||||||
|
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>
|
|
||||||
In <acronym>BIND</acronym> 9.2, <command>rndc</command>
|
|
||||||
supports all the commands of the BIND 8 <command>ndc</command>
|
|
||||||
utility except <command>ndc start</command> and
|
|
||||||
<command>ndc restart</command>, which were also
|
|
||||||
not supported in <command>ndc</command>'s
|
|
||||||
channel mode.
|
|
||||||
</para>
|
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
A configuration file is required, since all
|
A configuration file is required, since all
|
||||||
communication with the server is authenticated with
|
communication with the server is authenticated with
|
||||||
@@ -1758,9 +1755,8 @@ controls {
|
|||||||
on the Internet. Split DNS can also be used to allow mail from outside
|
on the Internet. Split DNS can also be used to allow mail from outside
|
||||||
back in to the internal network.
|
back in to the internal network.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<sect2>
|
||||||
Here is an example of a split DNS setup:
|
<title>Example split DNS setup</title>
|
||||||
</para>
|
|
||||||
<para>
|
<para>
|
||||||
Let's say a company named <emphasis>Example, Inc.</emphasis>
|
Let's say a company named <emphasis>Example, Inc.</emphasis>
|
||||||
(<literal>example.com</literal>)
|
(<literal>example.com</literal>)
|
||||||
@@ -1995,6 +1991,7 @@ nameserver 172.16.72.3
|
|||||||
nameserver 172.16.72.4
|
nameserver 172.16.72.4
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
|
</sect2>
|
||||||
</sect1>
|
</sect1>
|
||||||
<sect1 id="tsig">
|
<sect1 id="tsig">
|
||||||
<title>TSIG</title>
|
<title>TSIG</title>
|
||||||
@@ -2193,7 +2190,7 @@ allow-update { key host1-host2. ;};
|
|||||||
outside of the allowed range, the response will be signed with
|
outside of the allowed range, the response will be signed with
|
||||||
the TSIG extended error code set to BADTIME, and the time values
|
the TSIG extended error code set to BADTIME, and the time values
|
||||||
will be adjusted so that the response can be successfully
|
will be adjusted so that the response can be successfully
|
||||||
verified. In any of these cases, the message's rcode is set to
|
verified. In any of these cases, the message's rcode (response code) is set to
|
||||||
NOTAUTH (not authenticated).
|
NOTAUTH (not authenticated).
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
@@ -2272,7 +2269,7 @@ allow-update { key host1-host2. ;};
|
|||||||
<para>
|
<para>
|
||||||
Cryptographic authentication of DNS information is possible
|
Cryptographic authentication of DNS information is possible
|
||||||
through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
|
through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
|
||||||
defined in RFC 4033, RFC 4034 and RFC 4035.
|
defined in RFC 4033, RFC 4034, and RFC 4035.
|
||||||
This section describes the creation and use of DNSSEC signed zones.
|
This section describes the creation and use of DNSSEC signed zones.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
@@ -2340,7 +2337,7 @@ allow-update { key host1-host2. ;};
|
|||||||
<filename>Kchild.example.+005+12345.key</filename> and
|
<filename>Kchild.example.+005+12345.key</filename> and
|
||||||
<filename>Kchild.example.+005+12345.private</filename>
|
<filename>Kchild.example.+005+12345.private</filename>
|
||||||
(where
|
(where
|
||||||
12345 is an example of a key tag). The key file names contain
|
12345 is an example of a key tag). The key filenames contain
|
||||||
the key name (<filename>child.example.</filename>),
|
the key name (<filename>child.example.</filename>),
|
||||||
algorithm (3
|
algorithm (3
|
||||||
is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
|
is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
|
||||||
@@ -2842,7 +2839,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
|
|||||||
<entry colname="2">
|
<entry colname="2">
|
||||||
<para>
|
<para>
|
||||||
An IP port <varname>number</varname>.
|
An IP port <varname>number</varname>.
|
||||||
<varname>number</varname> is limited to 0
|
The <varname>number</varname> is limited to 0
|
||||||
through 65535, with values
|
through 65535, with values
|
||||||
below 1024 typically restricted to use by processes running
|
below 1024 typically restricted to use by processes running
|
||||||
as root.
|
as root.
|
||||||
@@ -3120,7 +3117,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
|
|||||||
<para>
|
<para>
|
||||||
The <acronym>BIND</acronym> 9 comment syntax allows for
|
The <acronym>BIND</acronym> 9 comment syntax allows for
|
||||||
comments to appear
|
comments to appear
|
||||||
anywhere that white space may appear in a <acronym>BIND</acronym> configuration
|
anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
|
||||||
file. To appeal to programmers of all kinds, they can be written
|
file. To appeal to programmers of all kinds, they can be written
|
||||||
in the C, C++, or shell/perl style.
|
in the C, C++, or shell/perl style.
|
||||||
</para>
|
</para>
|
||||||
@@ -3137,7 +3134,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
|
|||||||
<sect3>
|
<sect3>
|
||||||
<title>Definition and Usage</title>
|
<title>Definition and Usage</title>
|
||||||
<para>
|
<para>
|
||||||
Comments may appear anywhere that white space may appear in
|
Comments may appear anywhere that whitespace may appear in
|
||||||
a <acronym>BIND</acronym> configuration file.
|
a <acronym>BIND</acronym> configuration file.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
@@ -4207,7 +4204,7 @@ category notify { null; };
|
|||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
the query log entry reports the client's IP
|
The query log entry reports the client's IP
|
||||||
address and port number, and the query name,
|
address and port number, and the query name,
|
||||||
class and type. It also reports whether the
|
class and type. It also reports whether the
|
||||||
Recursion Desired flag was set (+ if set, -
|
Recursion Desired flag was set (+ if set, -
|
||||||
@@ -4303,7 +4300,7 @@ category notify { null; };
|
|||||||
The <command>lwres</command> statement configures the
|
The <command>lwres</command> statement configures the
|
||||||
name
|
name
|
||||||
server to also act as a lightweight resolver server. (See
|
server to also act as a lightweight resolver server. (See
|
||||||
<xref linkend="lwresd"/>.) There may be be multiple
|
<xref linkend="lwresd"/>.) There may be multiple
|
||||||
<command>lwres</command> statements configuring
|
<command>lwres</command> statements configuring
|
||||||
lightweight resolver servers with different properties.
|
lightweight resolver servers with different properties.
|
||||||
</para>
|
</para>
|
||||||
@@ -4697,7 +4694,7 @@ category notify { null; };
|
|||||||
name server. Specifying <command>pid-file none</command> disables the
|
name server. Specifying <command>pid-file none</command> disables the
|
||||||
use of a PID file — no file will be written and any
|
use of a PID file — no file will be written and any
|
||||||
existing one will be removed. Note that <command>none</command>
|
existing one will be removed. Note that <command>none</command>
|
||||||
is a keyword, not a file name, and therefore is not enclosed
|
is a keyword, not a filename, and therefore is not enclosed
|
||||||
in
|
in
|
||||||
double quotes.
|
double quotes.
|
||||||
</para>
|
</para>
|
||||||
@@ -5326,7 +5323,7 @@ options {
|
|||||||
<para>
|
<para>
|
||||||
<emphasis>This option is obsolete</emphasis>.
|
<emphasis>This option is obsolete</emphasis>.
|
||||||
If you need to disable IXFR to a particular server or
|
If you need to disable IXFR to a particular server or
|
||||||
servers see
|
servers, see
|
||||||
the information on the <command>provide-ixfr</command> option
|
the information on the <command>provide-ixfr</command> option
|
||||||
in <xref linkend="server_statement_definition_and_usage"/>.
|
in <xref linkend="server_statement_definition_and_usage"/>.
|
||||||
See also
|
See also
|
||||||
@@ -5560,6 +5557,7 @@ options {
|
|||||||
<para>
|
<para>
|
||||||
Accept expired signatures when verifying DNSSEC signatures.
|
Accept expired signatures when verifying DNSSEC signatures.
|
||||||
The default is <userinput>no</userinput>.
|
The default is <userinput>no</userinput>.
|
||||||
|
Setting this option to "yes" leaves named vulnerable to replay attacks.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -5603,7 +5601,7 @@ options {
|
|||||||
and MX records.
|
and MX records.
|
||||||
It also applies to the RDATA of PTR records where the owner
|
It also applies to the RDATA of PTR records where the owner
|
||||||
name indicated that it is a reverse lookup of a hostname
|
name indicated that it is a reverse lookup of a hostname
|
||||||
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT).
|
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -5728,7 +5726,8 @@ options {
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Try to refresh the zone using TCP if UDP queries fail.
|
Try to refresh the zone using TCP if UDP queries fail.
|
||||||
The default is <command>yes</command>.
|
For BIND 8 compatibility, the default is
|
||||||
|
<command>yes</command>.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -5910,6 +5909,12 @@ options {
|
|||||||
<command>localnets</command> and
|
<command>localnets</command> and
|
||||||
<command>localhost</command>.
|
<command>localhost</command>.
|
||||||
</para>
|
</para>
|
||||||
|
<para>
|
||||||
|
The way to set query access to the cache is now via
|
||||||
|
<command>allow-query-cache</command>.
|
||||||
|
This differs from earlier versions which used
|
||||||
|
<command>allow-query</command>.
|
||||||
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@@ -6819,7 +6824,7 @@ query-source-v6 address * port *;
|
|||||||
</para><note>
|
</para><note>
|
||||||
<simpara>
|
<simpara>
|
||||||
Not yet implemented in
|
Not yet implemented in
|
||||||
<acronym>BIND</acronym>9.
|
<acronym>BIND</acronym> 9.
|
||||||
</simpara>
|
</simpara>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
@@ -7206,7 +7211,7 @@ query-source-v6 address * port *;
|
|||||||
values are 512 to 4096 (values outside this range
|
values are 512 to 4096 (values outside this range
|
||||||
will be silently adjusted). The default value is
|
will be silently adjusted). The default value is
|
||||||
4096. The usual reason for setting edns-udp-size to
|
4096. The usual reason for setting edns-udp-size to
|
||||||
a non-default value it to get UDP answers to pass
|
a non-default value is to get UDP answers to pass
|
||||||
through broken firewalls that block fragmented
|
through broken firewalls that block fragmented
|
||||||
packets and/or block UDP packets that are greater
|
packets and/or block UDP packets that are greater
|
||||||
than 512 bytes.
|
than 512 bytes.
|
||||||
@@ -7226,6 +7231,8 @@ query-source-v6 address * port *;
|
|||||||
answers to pass through broken firewalls that
|
answers to pass through broken firewalls that
|
||||||
block fragmented packets and/or block UDP packets
|
block fragmented packets and/or block UDP packets
|
||||||
that are greater than 512 bytes.
|
that are greater than 512 bytes.
|
||||||
|
This is independent of the advertised receive
|
||||||
|
buffer (<command>edns-udp-size</command>).
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -7443,10 +7450,10 @@ query-source-v6 address * port *;
|
|||||||
If you are using the address ranges covered here, you should
|
If you are using the address ranges covered here, you should
|
||||||
already have reverse zones covering the addresses you use.
|
already have reverse zones covering the addresses you use.
|
||||||
In practice this appears to not be the case with many queries
|
In practice this appears to not be the case with many queries
|
||||||
being made to the infrustructure servers for names in these
|
being made to the infrastructure servers for names in these
|
||||||
spaces. So many in fact that sacrificial servers were needed
|
spaces. So many in fact that sacrificial servers were needed
|
||||||
to be deployed to channel the query load away from the
|
to be deployed to channel the query load away from the
|
||||||
infrustructure servers.
|
infrastructure servers.
|
||||||
</para>
|
</para>
|
||||||
<note>
|
<note>
|
||||||
The real parent servers for these zones should disable all
|
The real parent servers for these zones should disable all
|
||||||
@@ -8340,7 +8347,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
|
|||||||
numbers (in the
|
numbers (in the
|
||||||
tens or hundreds of thousands) of zones per server, it
|
tens or hundreds of thousands) of zones per server, it
|
||||||
is best to
|
is best to
|
||||||
use a two-level naming scheme for zone file names. For
|
use a two-level naming scheme for zone filenames. For
|
||||||
example,
|
example,
|
||||||
a slave server for the zone <literal>example.com</literal> might place
|
a slave server for the zone <literal>example.com</literal> might place
|
||||||
the zone contents into a file called
|
the zone contents into a file called
|
||||||
@@ -8806,8 +8813,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
|
|||||||
<term><command>journal</command></term>
|
<term><command>journal</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Allow the default journal's file name to be overridden.
|
Allow the default journal's filename to be overridden.
|
||||||
The default is the zone's file with "<filename>.jnl</filename>" appended.
|
The default is the zone's filename with "<filename>.jnl</filename>" appended.
|
||||||
This is applicable to <command>master</command> and <command>slave</command> zones.
|
This is applicable to <command>master</command> and <command>slave</command> zones.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@@ -10566,14 +10573,14 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
|
|||||||
<para><command>lhs</command></para>
|
<para><command>lhs</command></para>
|
||||||
</entry>
|
</entry>
|
||||||
<entry colname="2">
|
<entry colname="2">
|
||||||
<para><command>lhs</command>
|
<para>This
|
||||||
describes the owner name of the resource records
|
describes the owner name of the resource records
|
||||||
to be created. Any single <command>$</command>
|
to be created. Any single <command>$</command>
|
||||||
(dollar sign)
|
(dollar sign)
|
||||||
symbols within the <command>lhs</command> side
|
symbols within the <command>lhs</command> side
|
||||||
are replaced by the iterator value.
|
are replaced by the iterator value.
|
||||||
|
|
||||||
To get a $ in the output you need to escape the
|
To get a $ in the output, you need to escape the
|
||||||
<command>$</command> using a backslash
|
<command>$</command> using a backslash
|
||||||
<command>\</command>,
|
<command>\</command>,
|
||||||
e.g. <command>\$</command>. The
|
e.g. <command>\$</command>. The
|
||||||
@@ -10582,7 +10589,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
|
|||||||
iterator, field width and base.
|
iterator, field width and base.
|
||||||
|
|
||||||
Modifiers are introduced by a
|
Modifiers are introduced by a
|
||||||
<command>{</command> immediately following the
|
<command>{</command> (left brace) immediately following the
|
||||||
<command>$</command> as
|
<command>$</command> as
|
||||||
<command>${offset[,width[,base]]}</command>.
|
<command>${offset[,width[,base]]}</command>.
|
||||||
For example, <command>${-20,3,d}</command>
|
For example, <command>${-20,3,d}</command>
|
||||||
@@ -10655,7 +10662,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
|
|||||||
</entry>
|
</entry>
|
||||||
<entry colname="2">
|
<entry colname="2">
|
||||||
<para>
|
<para>
|
||||||
A domain name. It is processed
|
<command>rhs</command> is a domain name. It is processed
|
||||||
similarly to lhs.
|
similarly to lhs.
|
||||||
</para>
|
</para>
|
||||||
</entry>
|
</entry>
|
||||||
@@ -10783,7 +10790,7 @@ zone "example.com" {
|
|||||||
</para>
|
</para>
|
||||||
</sect1>
|
</sect1>
|
||||||
<sect1>
|
<sect1>
|
||||||
<title><command>chroot</command> and <command>setuid</command></title>
|
<title><command>Chroot</command> and <command>Setuid</command></title>
|
||||||
<para>
|
<para>
|
||||||
On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
|
On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
|
||||||
(using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
|
(using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
|
||||||
@@ -10822,7 +10829,7 @@ zone "example.com" {
|
|||||||
for this.
|
for this.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Unlike with earlier versions of BIND, you will typically
|
Unlike with earlier versions of BIND, you typically will
|
||||||
<emphasis>not</emphasis> need to compile <command>named</command>
|
<emphasis>not</emphasis> need to compile <command>named</command>
|
||||||
statically nor install shared libraries under the new root.
|
statically nor install shared libraries under the new root.
|
||||||
However, depending on your operating system, you may need
|
However, depending on your operating system, you may need
|
||||||
@@ -11045,7 +11052,7 @@ zone "example.com" {
|
|||||||
Wolfhugel, and others.
|
Wolfhugel, and others.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
<acronym>BIND</acronym> version 4.9.2 was sponsored by
|
In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
|
||||||
Vixie Enterprises. Paul
|
Vixie Enterprises. Paul
|
||||||
Vixie became <acronym>BIND</acronym>'s principal
|
Vixie became <acronym>BIND</acronym>'s principal
|
||||||
architect/programmer.
|
architect/programmer.
|
||||||
@@ -11079,7 +11086,8 @@ zone "example.com" {
|
|||||||
<emphasis>Anycast</emphasis>,
|
<emphasis>Anycast</emphasis>,
|
||||||
an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
|
an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
|
||||||
an identifier for a set of interfaces. Here we describe the global
|
an identifier for a set of interfaces. Here we describe the global
|
||||||
Unicast address scheme. For more information, see RFC 3587.
|
Unicast address scheme. For more information, see RFC 3587,
|
||||||
|
"Global Unicast Address Format."
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
IPv6 unicast addresses consist of a
|
IPv6 unicast addresses consist of a
|
||||||
|
|||||||
Reference in New Issue
Block a user