1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
10 TITLE="BIND 9 Administrator Reference Manual"
11 HREF="Bv9ARM.html"><LINK
13 TITLE="BIND 9 Administrator Reference Manual"
14 HREF="Bv9ARM.html"><LINK
16 TITLE="BIND Resource Requirements"
17 HREF="Bv9ARM.ch02.html"></HEAD
28 SUMMARY="Header navigation table"
37 >BIND 9 Administrator Reference Manual</TH
59 HREF="Bv9ARM.ch02.html"
74 >Chapter 1. Introduction </H1
84 HREF="Bv9ARM.ch01.html#AEN15"
89 HREF="Bv9ARM.ch01.html#AEN22"
90 >Organization of This Document</A
94 HREF="Bv9ARM.ch01.html#AEN42"
95 >Conventions Used in This Document</A
99 HREF="Bv9ARM.ch01.html#AEN107"
100 >The Domain Name System (<ACRONYM
108 >The Internet Domain Name System (<ACRONYM
111 >) consists of the syntax
112 to specify the names of entities in the Internet in a hierarchical
113 manner, the rules used for delegating authority over names, and the
114 system implementation that actually maps names to Internet
118 > data is maintained in a group of distributed
119 hierarchical databases.</P
126 >1.1. Scope of Document</A
129 >The Berkeley Internet Name Domain (<ACRONYM
133 domain name server for a number of operating systems. This
134 document provides basic information about the installation and
135 care of the Internet Software Consortium (<ACRONYM
142 > version 9 software package for system
145 >This version of the manual corresponds to BIND version 9.3.</P
153 >1.2. Organization of This Document</A
156 >In this document, <SPAN
176 describes resource requirements for running <ACRONYM
180 environments. Information in <SPAN
193 > in its presentation and is
194 organized functionally, to aid in the process of installing the
198 > 9 software. The task-oriented section is followed by
205 >, which contains more advanced
206 concepts that the system administrator may need for implementing
207 certain options. <SPAN
214 describes the <ACRONYM
218 resolver. The contents of <SPAN
225 organized as in a reference manual to aid in the ongoing
226 maintenance of the software. <SPAN
233 >addresses security considerations, and
240 > contains troubleshooting help. The
241 main body of the document is followed by several
248 > which contain useful reference
249 information, such as a <SPAN
256 historic information related to <ACRONYM
259 > and the Domain Name
268 >1.3. Conventions Used in This Document</A
271 >In this document, we use the following general typographic
274 CLASS="informaltable"
303 >We use the style:</I
311 >a pathname, filename, URL, hostname,
312 mailing list name, or new term or concept</P
332 >Fixed Width Bold</KBD
344 CLASS="computeroutput"
355 >The following conventions are used in descriptions of the
359 > configuration file:<DIV
360 CLASS="informaltable"
389 >We use the style:</I
429 >Text is enclosed in square brackets</SPAN
446 >1.4. The Domain Name System (<ACRONYM
452 >The purpose of this document is to explain the installation
453 and upkeep of the <ACRONYM
456 > software package, and we
457 begin by reviewing the fundamentals of the Domain Name System
461 >) as they relate to <ACRONYM
472 >1.4.1. DNS Fundamentals</A
475 >The Domain Name System (DNS) is the hierarchical, distributed
476 database. It stores information for mapping Internet host names to IP
477 addresses and vice versa, mail routing information, and other data
478 used by Internet applications.</P
480 >Clients look up information in the DNS by calling a
487 > library, which sends queries to one or
494 > and interprets the responses.
498 > 9 software distribution contains a
518 >1.4.2. Domains and Domain Names</A
521 >The data stored in the DNS is identified by <SPAN
528 > that are organized as a tree according to
529 organizational or administrative boundaries. Each node of the tree,
536 >, is given a label. The domain name of the
537 node is the concatenation of all the labels on the path from the
544 > node. This is represented
545 in written form as a string of labels listed from right to left and
546 separated by dots. A label need only be unique within its parent
549 >For example, a domain name for a host at the
559 >mail.example.com</VAR
565 top level domain to which
568 >ourhost.example.com</VAR
584 >For administrative purposes, the name space is partitioned into
591 >, each starting at a node and
592 extending down to the leaf nodes or to nodes where other zones start.
593 The data for each zone is stored in a <SPAN
600 >, which answers queries about the zone using the
610 >The data associated with each domain name is stored in the
621 Some of the supported resource record types are described in
623 HREF="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them"
627 >For more detailed information about the design of the DNS and
628 the DNS protocol, please refer to the standards documents listed in
630 HREF="Bv9ARM.ch09.html#rfcs"
643 >To properly operate a name server, it is important to understand
644 the difference between a <SPAN
659 >As we stated previously, a zone is a point of delegation in
663 > tree. A zone consists of
664 those contiguous parts of the domain
665 tree for which a name server has complete information and over which
666 it has authority. It contains all domain names from a certain point
667 downward in the domain tree except those which are delegated to
668 other zones. A delegation point is marked by one or more
676 parent zone, which should be matched by equivalent NS records at
677 the root of the delegated zone.</P
679 >For instance, consider the <VAR
683 domain which includes names
686 >host.aaa.example.com</VAR
690 >host.bbb.example.com</VAR
696 only delegations for the <VAR
698 >aaa.example.com</VAR
702 >bbb.example.com</VAR
703 > zones. A zone can map
704 exactly to a single domain, but could also include only part of a
705 domain, the rest of which could be delegated to other
706 name servers. Every name in the <ACRONYM
730 >. Every subdomain is a domain and
731 every domain except the root is also a subdomain. The terminology is
732 not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
733 gain a complete understanding of this difficult and subtle
739 > is called a "domain name server",
740 it deals primarily in terms of zones. The master and slave
741 declarations in the <TT
745 zones, not domains. When you ask some other site if it is willing to
746 be a slave server for your <SPAN
753 actually asking for slave service for some collection of zones.</P
761 >1.4.4. Authoritative Name Servers</A
764 >Each zone is served by at least
769 >authoritative name server</I
772 which contains the complete data for the zone.
773 To make the DNS tolerant of server and network failures,
774 most zones have two or more authoritative servers.
777 >Responses from authoritative servers have the "authoritative
778 answer" (AA) bit set in the response packets. This makes them
779 easy to identify when debugging DNS configurations using tools like
784 HREF="Bv9ARM.ch03.html#diagnostic_tools"
793 >1.4.4.1. The Primary Master</A
796 > The authoritative server where the master copy of the zone data is maintained is
803 > server, or simply the
810 >. It loads the zone contents from some
811 local file edited by humans or perhaps generated mechanically from
812 some other local file which is edited by humans. This file is called
833 >1.4.4.2. Slave Servers</A
836 >The other authoritative servers, the <SPAN
843 servers (also known as <SPAN
850 the zone contents from another server using a replication process
857 >. Typically the data are
858 transferred directly from the primary master, but it is also possible
859 to transfer it from another slave. In other words, a slave server
860 may itself act as a master to a subordinate slave server.</P
868 >1.4.4.3. Stealth Servers</A
871 >Usually all of the zone's authoritative servers are listed in
872 NS records in the parent zone. These NS records constitute
879 > of the zone from the parent.
880 The authoritative servers are also listed in the zone file itself,
894 of the zone. You can list servers in the zone's top-level NS
895 records that are not in the parent's NS delegation, but you cannot
896 list servers in the parent's delegation that are not present at
897 the zone's top level.</P
905 > is a server that is
906 authoritative for a zone but is not listed in that zone's NS
907 records. Stealth servers can be used for keeping a local copy of a
908 zone to speed up access to the zone's records or to make sure that the
909 zone is available even if all the "official" servers for the zone are
912 >A configuration where the primary master server itself is a
913 stealth server is often referred to as a "hidden primary"
914 configuration. One use for this configuration is when the primary master
915 is behind a firewall and therefore unable to communicate directly
916 with the outside world.</P
925 >1.4.5. Caching Name Servers</A
928 >The resolver libraries provided by most operating systems are
935 >, meaning that they are not capable of
936 performing the full DNS resolution process by themselves by talking
937 directly to the authoritative servers. Instead, they rely on a local
938 name server to perform the resolution on their behalf. Such a server
945 > name server; it performs
950 >recursive lookups</I
952 > for local clients.</P
954 >To improve performance, recursive servers cache the results of
955 the lookups they perform. Since the processes of recursion and
956 caching are intimately connected, the terms
970 > are often used synonymously.</P
972 >The length of time for which a record may be retained in
973 in the cache of a caching name server is controlled by the
974 Time To Live (TTL) field associated with each resource record.
982 >1.4.5.1. Forwarding</A
985 >Even a caching name server does not necessarily perform
986 the complete recursive lookup itself. Instead, it can
993 > some or all of the queries
994 that it cannot satisfy from its cache to another caching name server,
995 commonly referred to as a <SPAN
1004 >There may be one or more forwarders,
1005 and they are queried in turn until the list is exhausted or an answer
1006 is found. Forwarders are typically used when you do not
1007 wish all the servers at a given site to interact directly with the rest of
1008 the Internet servers. A typical scenario would involve a number
1009 of internal <ACRONYM
1012 > servers and an Internet firewall. Servers unable
1013 to pass packets through the firewall would forward to the server
1014 that can do it, and that server would query the Internet <ACRONYM
1018 on the internal server's behalf. An added benefit of using the forwarding
1019 feature is that the central machine develops a much more complete
1020 cache of information that all the clients can take advantage
1030 >1.4.6. Name Servers in Multiple Roles</A
1036 > name server can simultaneously act as
1037 a master for some zones, a slave for other zones, and as a caching
1038 (recursive) server for a set of local clients.</P
1040 >However, since the functions of authoritative name service
1041 and caching/recursive name service are logically separate, it is
1042 often advantageous to run them on separate server machines.
1044 A server that only provides authoritative name service
1049 >authoritative-only</I
1051 > server) can run with
1052 recursion disabled, improving reliability and security.
1054 A server that is not authoritative for any zones and only provides
1055 recursive service to local
1063 does not need to be reachable from the Internet at large and can
1064 be placed inside a firewall.</P
1073 SUMMARY="Footer navigation table"
1102 HREF="Bv9ARM.ch02.html"
1112 >BIND 9 Administrator Reference Manual</TD
1125 > Resource Requirements</TD