os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Update the section on named (currently 29.6):

Browse source 
1. s/Internet Software Consortium/Internet Systems Consortium/
2. Tighten up a few sections, improve wording, modernize terminology
3. Remove references to the make-localhost program which is long gone [1]
4. Update the included named.conf file to match current reality
5. Change all references to default TTL in the example zone files to refer
to the TTL for a negative response
6. Simplify the CNAME example
7. Update URLs

PR:		docs/122604 [1]
Submitted by:	keramida [1]
This commit is contained in:
Doug Barton 2009-05-17 02:45:49 +00:00
parent f5ed1eaf48
commit 06864915c7
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=34282
1 changed files with 239 additions and 111 deletions

350
en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
View file

@ -2532,13 +2532,13 @@ nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</
<see>DHCP</see>
</indexterm>
<indexterm>
<primary>Internet Software Consortium (ISC)</primary>
<primary>Internet Systems Consortium (ISC)</primary>
</indexterm>
<para>DHCP, the Dynamic Host Configuration Protocol, describes
the means by which a system can connect to a network and obtain the
necessary information for communication upon that network. FreeBSD
versions prior to 6.0 use the ISC (Internet Software
versions prior to 6.0 use the ISC (Internet Systems
Consortium) DHCP client (&man.dhclient.8;) implementation.
Later versions use the OpenBSD <command>dhclient</command>
taken from OpenBSD&nbsp;3.7. All
@ -2724,7 +2724,7 @@ dhclient_flags=""</programlisting>
<para>This section provides information on how to configure
a FreeBSD system to act as a DHCP server using the ISC
(Internet Software Consortium) implementation of the DHCP
(Internet Systems Consortium) implementation of the DHCP
server.</para>
<para>The server is not provided as part of
@ -2997,8 +2997,8 @@ dhcpd_ifaces="dc0"</programlisting>
information.</para>
<para>Currently, BIND is maintained by the
Internet Software Consortium
<ulink url="http://www.isc.org/"></ulink>.</para>
Internet Systems Consortium
<ulink url="https://www.isc.org/"></ulink>.</para>
</sect2>
<sect2>
@ -3036,7 +3036,7 @@ dhcpd_ifaces="dc0"</programlisting>
</row>
<row>
<entry><application>named</application>, BIND, name server</entry>
<entry><application>named</application>, BIND</entry>
<entry>Common names for the BIND name server package within
&os;.</entry>
</row>
@ -3049,8 +3049,7 @@ dhcpd_ifaces="dc0"</programlisting>
<row>
<entry>Reverse <acronym>DNS</acronym></entry>
<entry>The opposite of forward <acronym>DNS</acronym>;
mapping of <acronym>IP</acronym> addresses to
<entry>Mapping of <acronym>IP</acronym> addresses to
hostnames.</entry>
</row>
@ -3082,7 +3081,8 @@ dhcpd_ifaces="dc0"</programlisting>
<itemizedlist>
<listitem>
<para><hostid>.</hostid> is the root zone.</para>
<para><hostid>.</hostid> is how the root zone is usually
referred to in documentation.</para>
</listitem>
<listitem>
@ -3100,7 +3100,7 @@ dhcpd_ifaces="dc0"</programlisting>
<para><hostid>1.168.192.in-addr.arpa</hostid> is a zone
referencing all <acronym>IP</acronym> addresses which fall
under the <hostid role="ipaddr">192.168.1.*</hostid>
<acronym>IP</acronym> space.</para>
<acronym>IP</acronym> address space.</para>
</listitem>
</itemizedlist>
@ -3171,7 +3171,7 @@ dhcpd_ifaces="dc0"</programlisting>
<sect2>
<title>How It Works</title>
<para>In &os;, the BIND daemon is called
<application>named</application> for obvious reasons.</para>
<application>named</application>.</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="2">
@ -3228,10 +3228,12 @@ dhcpd_ifaces="dc0"</programlisting>
<para>The default <application>named</application> configuration
is that of a basic resolving name server, running in a
&man.chroot.8; environment. To start the server one time with
&man.chroot.8; environment, and restricted to listening on
the local IPv4 loopback address (127.0.0.1).
To start the server one time with
this configuration, use the following command:</para>
<screen>&prompt.root; <userinput>/etc/rc.d/named forcestart</userinput></screen>
<screen>&prompt.root; <userinput>/etc/rc.d/named onestart</userinput></screen>
<para>To ensure the <application>named</application> daemon is
started at boot each time, put the following line into the
@ -3260,28 +3262,10 @@ dhcpd_ifaces="dc0"</programlisting>
<para>Configuration files for <application>named</application>
currently reside in
<filename class="directory">/etc/namedb</filename> directory and
will need modification before use, unless all that is needed is
will need modification before use unless all that is needed is
a simple resolver. This is where most of the configuration will
be performed.</para>
<sect3>
<title>Using <command>make-localhost</command></title>
<para>To configure a master zone for the localhost visit the
<filename class="directory">/etc/namedb</filename> directory
and run the following command:</para>
<screen>&prompt.root; <userinput>sh make-localhost</userinput></screen>
<para>If all went well, a new file should exist in the
<filename class="directory">master</filename> subdirectory.
The filenames should be <filename>localhost.rev</filename> for
the local domain name and <filename>localhost-v6.rev</filename>
for <acronym>IPv6</acronym> configurations. As the default
configuration file, required information will
be present in the <filename>named.conf</filename> file.</para>
</sect3>
<sect3>
<title><filename>/etc/namedb/named.conf</filename></title>
@ -3296,6 +3280,7 @@ dhcpd_ifaces="dc0"</programlisting>
// or cause huge amounts of useless Internet traffic.
options {
// Relative to the chroot directory, if any
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
@ -3311,11 +3296,11 @@ options {
// an IPv6 address, or the keyword "any".
// listen-on-v6 { ::1; };
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
// forward only;
// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
@ -3324,7 +3309,21 @@ options {
forwarders {
127.0.0.1;
};
*/</programlisting>
*/
// If the 'forwarders' clause is not empty the default is to 'forward first'
// which will fall back to sending a query from your local server if the name
// servers in 'forwarders' do not have the answer. Alternatively you can
// force your name server to never initiate queries of its own by enabling the
// following line:
// forward only;
// If you wish to have forwarding configured automatically based on
// the entries in /etc/resolv.conf, uncomment the following line and
// set named_auto_forward=yes in /etc/rc.conf. You can also enable
// named_auto_forward_only (the effect of which is described above).
// include "/etc/namedb/auto_forward.conf";
</programlisting>
<para>Just as the comment says, to benefit from an uplink's
cache, <literal>forwarders</literal> can be enabled here.
@ -3344,34 +3343,187 @@ options {
</warning>
<programlisting> /*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND versions 8 and later
* use a pseudo-random unprivileged UDP port by default.
*/
// query-source address * port 53;
Modern versions of BIND use a random UDP port for each outgoing
query by default in order to dramatically reduce the possibility
of cache poisoning. All users are strongly encouraged to utilize
this feature, and to configure their firewalls to accommodate it.
AS A LAST RESORT in order to get around a restrictive firewall
policy you can try enabling the option below. Use of this option
will significantly reduce your ability to withstand cache poisoning
attacks, and should be avoided if at all possible.
Replace NNNNN in the example with a number between 49160 and 65530.
*/
// query-source address * port NNNNN;
};
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.
// The traditional root hints mechanism. Use this, OR the slave zones below.
zone "." { type hint; file "named.root"; };
/* Slaving the following zones from the root name servers has some
significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
3. Greater resilience to any potential root server failure/DDoS
On the other hand, this method requires more monitoring than the
hints file to be sure that an unexpected failure mode has not
incapacitated your server. Name servers that are serving a lot
of clients will benefit more from this approach than individual
hosts. Use with caution.
To use this mechanism, uncomment the entries below, and comment
the hint zone above.
*/
/*
zone "." {
type hint;
file "named.root";
type slave;
file "slave/root.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};
zone "arpa" {
type slave;
file "slave/arpa.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};
zone "in-addr.arpa" {
type slave;
file "slave/in-addr.arpa.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};
*/
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};
/* Serving the following zones locally will prevent any queries
for these zones leaving your network and going to the root
name servers. This has two significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
*/
// RFC 1912
zone "localhost" { type master; file "master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "master/empty.db"; };
// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
type master;
file "master/localhost-v6.rev";
};
// RFC 1912-style zone for IPv6 localhost address
zone "0.ip6.arpa" { type master; file "master/localhost-reverse.db"; };
// "This" Network (RFCs 1912 and 3330)
zone "0.in-addr.arpa" { type master; file "master/empty.db"; };
// Private Use Networks (RFC 1918)
zone "10.in-addr.arpa" { type master; file "master/empty.db"; };
zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "17.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "18.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "19.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "20.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "21.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "22.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "23.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "24.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "25.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "26.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "27.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "28.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "29.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "30.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "31.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "168.192.in-addr.arpa" { type master; file "master/empty.db"; };
// Link-local/APIPA (RFCs 3330 and 3927)
zone "254.169.in-addr.arpa" { type master; file "master/empty.db"; };
// TEST-NET for Documentation (RFC 3330)
zone "2.0.192.in-addr.arpa" { type master; file "master/empty.db"; };
// Router Benchmark Testing (RFC 3330)
zone "18.198.in-addr.arpa" { type master; file "master/empty.db"; };
zone "19.198.in-addr.arpa" { type master; file "master/empty.db"; };
// IANA Reserved - Old Class E Space
zone "240.in-addr.arpa" { type master; file "master/empty.db"; };
zone "241.in-addr.arpa" { type master; file "master/empty.db"; };
zone "242.in-addr.arpa" { type master; file "master/empty.db"; };
zone "243.in-addr.arpa" { type master; file "master/empty.db"; };
zone "244.in-addr.arpa" { type master; file "master/empty.db"; };
zone "245.in-addr.arpa" { type master; file "master/empty.db"; };
zone "246.in-addr.arpa" { type master; file "master/empty.db"; };
zone "247.in-addr.arpa" { type master; file "master/empty.db"; };
zone "248.in-addr.arpa" { type master; file "master/empty.db"; };
zone "249.in-addr.arpa" { type master; file "master/empty.db"; };
zone "250.in-addr.arpa" { type master; file "master/empty.db"; };
zone "251.in-addr.arpa" { type master; file "master/empty.db"; };
zone "252.in-addr.arpa" { type master; file "master/empty.db"; };
zone "253.in-addr.arpa" { type master; file "master/empty.db"; };
zone "254.in-addr.arpa" { type master; file "master/empty.db"; };
// IPv6 Unassigned Addresses (RFC 4291)
zone "1.ip6.arpa" { type master; file "master/empty.db"; };
zone "3.ip6.arpa" { type master; file "master/empty.db"; };
zone "4.ip6.arpa" { type master; file "master/empty.db"; };
zone "5.ip6.arpa" { type master; file "master/empty.db"; };
zone "6.ip6.arpa" { type master; file "master/empty.db"; };
zone "7.ip6.arpa" { type master; file "master/empty.db"; };
zone "8.ip6.arpa" { type master; file "master/empty.db"; };
zone "9.ip6.arpa" { type master; file "master/empty.db"; };
zone "a.ip6.arpa" { type master; file "master/empty.db"; };
zone "b.ip6.arpa" { type master; file "master/empty.db"; };
zone "c.ip6.arpa" { type master; file "master/empty.db"; };
zone "d.ip6.arpa" { type master; file "master/empty.db"; };
zone "e.ip6.arpa" { type master; file "master/empty.db"; };
zone "0.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "1.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "2.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "3.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "4.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "5.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "6.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "7.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "8.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "9.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "a.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "b.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "0.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "1.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "2.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "3.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "4.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "5.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "6.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "7.e.f.ip6.arpa" { type master; file "master/empty.db"; };
// IPv6 ULA (RFC 4193)
zone "c.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "d.f.ip6.arpa" { type master; file "master/empty.db"; };
// IPv6 Link Local (RFC 4291)
zone "8.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "9.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "a.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "b.e.f.ip6.arpa" { type master; file "master/empty.db"; };
// IPv6 Deprecated Site-Local Addresses (RFC 3879)
zone "c.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "d.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "e.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "f.e.f.ip6.arpa" { type master; file "master/empty.db"; };
// IP6.INT is Deprecated (RFC 4159)
zone "ip6.int" { type master; file "master/empty.db"; };
// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
@ -3379,26 +3531,19 @@ zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"
// Example slave zone config entries. It can be convenient to become
// a slave at least for the zone your own domain is in. Ask
// your network administrator for the IP address of the responsible
// primary.
// master name server.
//
// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
// (This is named after the first bytes of the IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended.)
// Do not forget to include the reverse lookup zone!
// This is named after the first bytes of the IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
//
// Before starting to set up a primary zone, make sure you fully
// understand how DNS and BIND works. There are sometimes
// non-obvious pitfalls. Setting up a slave zone is simpler.
// Before starting to set up a master zone, make sure you fully
// understand how DNS and BIND work. There are sometimes
// non-obvious pitfalls. Setting up a slave zone is usually simpler.
//
// NB: Don't blindly enable the examples below. :-) Use actual names
// and addresses instead.
/* An example master zone
zone "example.net" {
type master;
file "master/example.net";
};
*/
/* An example dynamic zone
key "exampleorgkey" {
algorithm hmac-md5;
@ -3413,14 +3558,7 @@ zone "example.org" {
};
*/
/* Examples of forward and reverse slave zones
zone "example.com" {
type slave;
file "slave/example.com";
masters {
192.168.1.1;
};
};
/* Example of a slave reverse zone
zone "1.168.192.in-addr.arpa" {
type slave;
file "slave/1.168.192.in-addr.arpa";
@ -3475,13 +3613,13 @@ zone "1.168.192.in-addr.arpa" {
<filename>/etc/namedb/master/example.org</filename>) is as
follows:</para>
<programlisting>&dollar;TTL 3600 ; 1 hour
<programlisting>&dollar;TTL 3600 ; 1 hour default TTL
example.org. IN SOA ns1.example.org. admin.example.org. (
2006051501 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ; Minimum TTL
300 ; Negative Reponse TTL
)
; DNS Servers
@ -3502,17 +3640,14 @@ mx IN A 192.168.1.4
mail IN A 192.168.1.5
; Aliases
www IN CNAME @</programlisting>
www IN CNAME example.org.<programlisting>
<para>
Note that every hostname ending in a <quote>.</quote> is an
exact hostname, whereas everything without a trailing
<quote>.</quote> is referenced to the origin. For example,
<literal>www</literal> is translated into
<literal>www.<replaceable>origin</replaceable></literal>.
In our fictitious zone file, our origin is
<hostid>example.org.</hostid>, so <literal>www</literal>
would translate to <hostid>www.example.org.</hostid>
<quote>.</quote> is relative to the origin. For example,
<literal>ns1</literal> is translated into
<literal>ns1.<replaceable>example.org.</replaceable></literal>
</para>
<para>
@ -3573,9 +3708,7 @@ example.org. IN SOA ns1.example.org. admin.example.org. (
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day</programlisting>
300 ) ; Negative Reponse TTL</programlisting>
<variablelist>
<varlistentry>
@ -3653,12 +3786,12 @@ www IN CNAME @</programlisting>
<para>
The canonical name record is usually used for giving aliases
to a machine. In the example, <hostid>www</hostid> is
aliased to the <quote>master</quote> machine which name equals
to domain name <hostid role="domainname">example.org</hostid>
aliased to the <quote>master</quote> machine whose name happens
to be the same as the domain name
<hostid role="domainname">example.org</hostid>
(<hostid role="ipaddr">192.168.1.1</hostid>).
CNAMEs can be used to provide alias
hostnames, or round robin one hostname among multiple
machines.
CNAMEs can never be used together with another kind of record
for the same hostname.
</para>
<indexterm>
@ -3698,7 +3831,7 @@ www IN CNAME @</programlisting>
10800 ; Refresh
3600 ; Retry
604800 ; Expire
3600 ) ; Minimum
300 ) ; Negative Reponse TTL
IN NS ns1.example.org.
IN NS ns2.example.org.
@ -3711,6 +3844,9 @@ www IN CNAME @</programlisting>
<para>This file gives the proper IP address to hostname
mappings of our above fictitious domain.</para>
<para>It is worth noting that all names on the right side
of a PTR record need to be fully qualified (i.e., end in
a <quote>.</quote>).</para>
</sect3>
</sect2>
@ -3721,11 +3857,9 @@ www IN CNAME @</programlisting>
<secondary>caching name server</secondary>
</indexterm>
<para>A caching name server is a name server that is not
authoritative for any zones. It simply asks queries of its
own, and remembers them for later use. To set one up, just
configure the name server as usual, omitting any inclusions of
zones.</para>
<para>A caching name server is a name server whose primary role
is to resolve recursive queries. It simply asks queries of its
own, and remembers the answers for later use.</para>
</sect2>
<sect2>
@ -3763,22 +3897,16 @@ www IN CNAME @</programlisting>
<itemizedlist>
<listitem>
<para><ulink
url="http://www.isc.org/products/BIND/">Official ISC BIND
url="https://www.isc.org/software/bind">Official ISC BIND
Page</ulink></para>
</listitem>
<listitem>
<para><ulink
url="http://www.isc.org/sw/guild/bf/">Official ISC BIND
url="https://www.isc.org/software/guild">Official ISC BIND
Forum</ulink></para>
</listitem>
<listitem>
<para><ulink
url="http://www.isc.org/index.pl?/sw/bind/FAQ.php">
BIND9 FAQ</ulink></para>
</listitem>
<listitem>
<para><ulink url="http://www.oreilly.com/catalog/dns5/">O'Reilly
DNS and BIND 5th Edition</ulink></para>
@ -3786,13 +3914,13 @@ www IN CNAME @</programlisting>
<listitem>
<para><ulink
url="ftp://ftp.isi.edu/in-notes/rfc1034.txt">RFC1034
url="http://www.rfc-editor.org/rfc/rfc1034.txt">RFC1034
- Domain Names - Concepts and Facilities</ulink></para>
</listitem>
<listitem>
<para><ulink
url="ftp://ftp.isi.edu/in-notes/rfc1035.txt">RFC1035
url="http://www.rfc-editor.org/rfc/rfc1035.txt">RFC1035
- Domain Names - Implementation and Specification</ulink></para>
</listitem>
</itemizedlist>