2 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
19 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
20 <title>Chapter 3. Name Server Configuration</title>
21 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
22 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
23 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
25 <link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
27 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
28 <div class="navheader">
29 <table width="100%" summary="Navigation header">
30 <tr><th colspan="3" align="center">Chapter 3. Name Server Configuration</th></tr>
32 <td width="20%" align="left">
33 <a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
34 <th width="60%" align="center"> </th>
35 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
42 <div class="titlepage"><div><div><h1 class="title">
43 <a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h1></div></div></div>
45 <p><b>Table of Contents</b></p>
47 <dt><span class="section"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
49 <dt><span class="section"><a href="Bv9ARM.ch03.html#cache_only_sample">A Caching-only Name Server</a></span></dt>
50 <dt><span class="section"><a href="Bv9ARM.ch03.html#auth_only_sample">An Authoritative-only Name Server</a></span></dt>
52 <dt><span class="section"><a href="Bv9ARM.ch03.html#load_balancing">Load Balancing</a></span></dt>
53 <dt><span class="section"><a href="Bv9ARM.ch03.html#ns_operations">Name Server Operations</a></span></dt>
55 <dt><span class="section"><a href="Bv9ARM.ch03.html#tools">Tools for Use With the Name Server Daemon</a></span></dt>
56 <dt><span class="section"><a href="Bv9ARM.ch03.html#signals">Signals</a></span></dt>
61 In this chapter we provide some suggested configurations along
62 with guidelines for their use. We suggest reasonable values for
63 certain option settings.
66 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
67 <a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
69 <div class="titlepage"><div><div><h3 class="title">
70 <a name="cache_only_sample"></a>A Caching-only Name Server</h3></div></div></div>
72 The following sample configuration is appropriate for a caching-only
73 name server for use by clients internal to a corporation. All
75 from outside clients are refused using the <span class="command"><strong>allow-query</strong></span>
76 option. Alternatively, the same effect could be achieved using
80 <pre class="programlisting">
81 // Two corporate subnets we wish to allow queries from.
82 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
85 directory "/etc/namedb";
87 allow-query { corpnets; };
89 // Provide a reverse mapping for the loopback
91 zone "0.0.127.in-addr.arpa" {
99 <div class="titlepage"><div><div><h3 class="title">
100 <a name="auth_only_sample"></a>An Authoritative-only Name Server</h3></div></div></div>
102 This sample configuration is for an authoritative-only server
103 that is the master server for "<code class="filename">example.com</code>"
104 and a slave for the subdomain "<code class="filename">eng.example.com</code>".
106 <pre class="programlisting">
109 directory "/etc/namedb";
110 // Do not allow access to cache
111 allow-query-cache { none; };
112 // This is the default
113 allow-query { any; };
114 // Do not provide recursive service
118 // Provide a reverse mapping for the loopback
120 zone "0.0.127.in-addr.arpa" {
122 file "localhost.rev";
125 // We are the master server for example.com
128 file "example.com.db";
129 // IP addresses of slave servers allowed to
130 // transfer example.com
136 // We are a slave server for eng.example.com
137 zone "eng.example.com" {
139 file "eng.example.com.bk";
140 // IP address of eng.example.com master server
141 masters { 192.168.4.12; };
146 <div class="section">
147 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
148 <a name="load_balancing"></a>Load Balancing</h2></div></div></div>
150 A primitive form of load balancing can be achieved in
151 the <acronym class="acronym">DNS</acronym> by using multiple records
152 (such as multiple A records) for one name.
155 For example, if you have three WWW servers with network addresses
156 of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
157 following means that clients will connect to each machine one third
160 <div class="informaltable"><table border="1">
162 <col width="0.875in" class="1">
163 <col width="0.500in" class="2">
164 <col width="0.750in" class="3">
165 <col width="0.750in" class="4">
166 <col width="2.028in" class="5">
192 Resource Record (RR) Data
199 <code class="literal">www</code>
204 <code class="literal">600</code>
209 <code class="literal">IN</code>
214 <code class="literal">A</code>
219 <code class="literal">10.0.0.1</code>
229 <code class="literal">600</code>
234 <code class="literal">IN</code>
239 <code class="literal">A</code>
244 <code class="literal">10.0.0.2</code>
254 <code class="literal">600</code>
259 <code class="literal">IN</code>
264 <code class="literal">A</code>
269 <code class="literal">10.0.0.3</code>
276 When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
277 them and respond to the query with the records in a different
278 order. In the example above, clients will randomly receive
279 records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
280 will use the first record returned and discard the rest.
283 For more detail on ordering responses, check the
284 <span class="command"><strong>rrset-order</strong></span> sub-statement in the
285 <span class="command"><strong>options</strong></span> statement, see
286 <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">RRset Ordering</a>.
289 <div class="section">
290 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
291 <a name="ns_operations"></a>Name Server Operations</h2></div></div></div>
292 <div class="section">
293 <div class="titlepage"><div><div><h3 class="title">
294 <a name="tools"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
296 This section describes several indispensable diagnostic,
297 administrative and monitoring tools available to the system
298 administrator for controlling and debugging the name server
301 <div class="section">
302 <div class="titlepage"><div><div><h4 class="title">
303 <a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
305 The <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span>, and
306 <span class="command"><strong>nslookup</strong></span> programs are all command
308 for manually querying name servers. They differ in style and
311 <div class="variablelist"><dl class="variablelist">
312 <dt><span class="term"><a name="dig"></a><span class="command"><strong>dig</strong></span></span></dt>
315 The domain information groper (<span class="command"><strong>dig</strong></span>)
316 is the most versatile and complete of these lookup tools.
317 It has two modes: simple interactive
318 mode for a single query, and batch mode which executes a
320 each in a list of several query lines. All query options are
322 from the command line.
324 <div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
326 The usual simple use of <span class="command"><strong>dig</strong></span> will take the form
329 <span class="command"><strong>dig @server domain query-type query-class</strong></span>
332 For more information and a list of available commands and
333 options, see the <span class="command"><strong>dig</strong></span> man
337 <dt><span class="term"><span class="command"><strong>host</strong></span></span></dt>
340 The <span class="command"><strong>host</strong></span> utility emphasizes
342 and ease of use. By default, it converts
343 between host names and Internet addresses, but its
345 can be extended with the use of options.
347 <div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div>
349 For more information and a list of available commands and
350 options, see the <span class="command"><strong>host</strong></span> man
354 <dt><span class="term"><span class="command"><strong>nslookup</strong></span></span></dt>
356 <p><span class="command"><strong>nslookup</strong></span>
357 has two modes: interactive and
358 non-interactive. Interactive mode allows the user to
359 query name servers for information about various
360 hosts and domains or to print a list of hosts in a
361 domain. Non-interactive mode is used to print just
362 the name and requested information for a host or
365 <div class="cmdsynopsis"><p><code class="command">nslookup</code> [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] | [- [server]]]</p></div>
367 Interactive mode is entered when no arguments are given (the
368 default name server will be used) or when the first argument
370 hyphen (`-') and the second argument is the host name or
375 Non-interactive mode is used when the name or Internet
377 of the host to be looked up is given as the first argument.
379 optional second argument specifies the host name or address
383 Due to its arcane user interface and frequently inconsistent
384 behavior, we do not recommend the use of <span class="command"><strong>nslookup</strong></span>.
385 Use <span class="command"><strong>dig</strong></span> instead.
390 <div class="section">
391 <div class="titlepage"><div><div><h4 class="title">
392 <a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
394 Administrative tools play an integral part in the management
397 <div class="variablelist"><dl class="variablelist">
399 <a name="named-checkconf"></a><span class="term"><span class="command"><strong>named-checkconf</strong></span></span>
403 The <span class="command"><strong>named-checkconf</strong></span> program
404 checks the syntax of a <code class="filename">named.conf</code> file.
406 <div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
409 <a name="named-checkzone"></a><span class="term"><span class="command"><strong>named-checkzone</strong></span></span>
413 The <span class="command"><strong>named-checkzone</strong></span> program
414 checks a master file for
415 syntax and consistency.
417 <div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div>
420 <a name="named-compilezone"></a><span class="term"><span class="command"><strong>named-compilezone</strong></span></span>
423 Similar to <span class="command"><strong>named-checkzone,</strong></span> but
424 it always dumps the zone content to a specified file
425 (typically in a different format).
428 <a name="rndc"></a><span class="term"><span class="command"><strong>rndc</strong></span></span>
432 The remote name daemon control
433 (<span class="command"><strong>rndc</strong></span>) program allows the
435 administrator to control the operation of a name server.
436 Since <acronym class="acronym">BIND</acronym> 9.2, <span class="command"><strong>rndc</strong></span>
437 supports all the commands of the BIND 8 <span class="command"><strong>ndc</strong></span>
438 utility except <span class="command"><strong>ndc start</strong></span> and
439 <span class="command"><strong>ndc restart</strong></span>, which were also
440 not supported in <span class="command"><strong>ndc</strong></span>'s
442 If you run <span class="command"><strong>rndc</strong></span> without any
444 it will display a usage message as follows:
446 <div class="cmdsynopsis"><p><code class="command">rndc</code> [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>] <em class="replaceable"><code>command</code></em> [<em class="replaceable"><code>command</code></em>...]</p></div>
447 <p>See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of
448 the available <span class="command"><strong>rndc</strong></span> commands.
451 <span class="command"><strong>rndc</strong></span> requires a configuration file,
453 communication with the server is authenticated with
454 digital signatures that rely on a shared secret, and
455 there is no way to provide that secret other than with a
456 configuration file. The default location for the
457 <span class="command"><strong>rndc</strong></span> configuration file is
458 <code class="filename">/etc/rndc.conf</code>, but an
460 location can be specified with the <code class="option">-c</code>
461 option. If the configuration file is not found,
462 <span class="command"><strong>rndc</strong></span> will also look in
463 <code class="filename">/etc/rndc.key</code> (or whatever
464 <code class="varname">sysconfdir</code> was defined when
465 the <acronym class="acronym">BIND</acronym> build was
467 The <code class="filename">rndc.key</code> file is
469 running <span class="command"><strong>rndc-confgen -a</strong></span> as
471 <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span class="command"><strong>controls</strong></span> Statement Definition and
475 The format of the configuration file is similar to
476 that of <code class="filename">named.conf</code>, but
478 only four statements, the <span class="command"><strong>options</strong></span>,
479 <span class="command"><strong>key</strong></span>, <span class="command"><strong>server</strong></span> and
480 <span class="command"><strong>include</strong></span>
481 statements. These statements are what associate the
482 secret keys to the servers with which they are meant to
483 be shared. The order of statements is not
487 The <span class="command"><strong>options</strong></span> statement has
489 <span class="command"><strong>default-server</strong></span>, <span class="command"><strong>default-key</strong></span>,
490 and <span class="command"><strong>default-port</strong></span>.
491 <span class="command"><strong>default-server</strong></span> takes a
492 host name or address argument and represents the server
494 be contacted if no <code class="option">-s</code>
495 option is provided on the command line.
496 <span class="command"><strong>default-key</strong></span> takes
497 the name of a key as its argument, as defined by a <span class="command"><strong>key</strong></span> statement.
498 <span class="command"><strong>default-port</strong></span> specifies the
500 <span class="command"><strong>rndc</strong></span> should connect if no
501 port is given on the command line or in a
502 <span class="command"><strong>server</strong></span> statement.
505 The <span class="command"><strong>key</strong></span> statement defines a
507 by <span class="command"><strong>rndc</strong></span> when authenticating
509 <span class="command"><strong>named</strong></span>. Its syntax is
511 <span class="command"><strong>key</strong></span> statement in <code class="filename">named.conf</code>.
512 The keyword <strong class="userinput"><code>key</code></strong> is
513 followed by a key name, which must be a valid
514 domain name, though it need not actually be hierarchical;
516 a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid
518 The <span class="command"><strong>key</strong></span> statement has two
520 <span class="command"><strong>algorithm</strong></span> and <span class="command"><strong>secret</strong></span>.
521 While the configuration parser will accept any string as the
523 to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
524 has any meaning. The secret is a base-64 encoded string
525 as specified in RFC 3548.
528 The <span class="command"><strong>server</strong></span> statement
530 defined using the <span class="command"><strong>key</strong></span>
531 statement with a server.
532 The keyword <strong class="userinput"><code>server</code></strong> is followed by a
533 host name or address. The <span class="command"><strong>server</strong></span> statement
534 has two clauses: <span class="command"><strong>key</strong></span> and <span class="command"><strong>port</strong></span>.
535 The <span class="command"><strong>key</strong></span> clause specifies the
537 to be used when communicating with this server, and the
538 <span class="command"><strong>port</strong></span> clause can be used to
539 specify the port <span class="command"><strong>rndc</strong></span> should
544 A sample minimal configuration file is as follows:
546 <pre class="programlisting">
548 algorithm "hmac-md5";
550 "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
553 default-server 127.0.0.1;
554 default-key rndc_key;
558 This file, if installed as <code class="filename">/etc/rndc.conf</code>,
559 would allow the command:
562 <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
565 to connect to 127.0.0.1 port 953 and cause the name server
566 to reload, if a name server on the local machine were
568 following controls statements:
570 <pre class="programlisting">
573 allow { localhost; } keys { rndc_key; };
577 and it had an identical key statement for
578 <code class="literal">rndc_key</code>.
581 Running the <span class="command"><strong>rndc-confgen</strong></span>
583 conveniently create a <code class="filename">rndc.conf</code>
584 file for you, and also display the
585 corresponding <span class="command"><strong>controls</strong></span>
586 statement that you need to
587 add to <code class="filename">named.conf</code>.
589 you can run <span class="command"><strong>rndc-confgen -a</strong></span>
591 a <code class="filename">rndc.key</code> file and not
593 <code class="filename">named.conf</code> at all.
599 <div class="section">
600 <div class="titlepage"><div><div><h3 class="title">
601 <a name="signals"></a>Signals</h3></div></div></div>
603 Certain UNIX signals cause the name server to take specific
604 actions, as described in the following table. These signals can
605 be sent using the <span class="command"><strong>kill</strong></span> command.
607 <div class="informaltable"><table border="1">
609 <col width="1.125in" class="1">
610 <col width="4.000in" class="2">
615 <p><span class="command"><strong>SIGHUP</strong></span></p>
619 Causes the server to read <code class="filename">named.conf</code> and
626 <p><span class="command"><strong>SIGTERM</strong></span></p>
630 Causes the server to clean up and exit.
636 <p><span class="command"><strong>SIGINT</strong></span></p>
640 Causes the server to clean up and exit.
649 <div class="navfooter">
651 <table width="100%" summary="Navigation footer">
653 <td width="40%" align="left">
654 <a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
655 <td width="20%" align="center"> </td>
656 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
660 <td width="40%" align="left" valign="top">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements </td>
661 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
662 <td width="40%" align="right" valign="top"> Chapter 4. Advanced DNS Features</td>
666 <p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>