BIND 9 Administrator Reference Manual

BIND Version 9.15.7

Table of Contents

1. Introduction
Scope of Document
Organization of This Document
Conventions Used in This Document
The Domain Name System (DNS)
DNS Fundamentals
Domains and Domain Names
Authoritative Name Servers
Caching Name Servers
Name Servers in Multiple Roles
2. BIND Resource Requirements
Hardware requirements
CPU Requirements
Memory Requirements
Name Server Intensive Environment Issues
Supported Operating Systems
3. Name Server Configuration
Sample Configurations
A Caching-only Name Server
An Authoritative-only Name Server
Load Balancing
Name Server Operations
Tools for Use With the Name Server Daemon
Configuring Plugins
Developing Plugins
4. Advanced DNS Features
Dynamic Update
The journal file
Incremental Zone Transfers (IXFR)
Split DNS
Example split DNS setup
Generating a Shared Key
Loading A New Key
Instructing the Server to Use a Key
TSIG-Based Access Control
Generating Keys
Signing the Zone
Configuring Servers for DNSSEC
DNSSEC, Dynamic Zones, and Automatic Signing
Converting from insecure to secure
Dynamic DNS update method
Fully automatic zone signing
Private-type records
DNSKEY rollovers
Dynamic DNS update method
Automatic key rollovers
NSEC3PARAM rollovers via UPDATE
Converting from NSEC to NSEC3
Converting from NSEC3 to NSEC
Converting from secure to insecure
Periodic re-signing
Dynamic Trust Anchor Management
Validating Resolver
Authoritative Server
PKCS#11 (Cryptoki) support
Native PKCS#11
OpenSSL-based PKCS#11
PKCS#11 Tools
Using the HSM
Specifying the engine on the command line
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
Configuring DLZ
Sample DLZ Driver
DynDB (Dynamic Database)
Configuring DynDB
Sample DynDB Module
Catalog Zones
Principle of Operation
Configuring Catalog Zones
Catalog Zone format
IPv6 Support in BIND 9
Address Lookups Using AAAA Records
Address to Name Lookups Using Nibble Format
5. BIND 9 Configuration Reference
Configuration File Elements
Address Match Lists
Comment Syntax
Configuration File Grammar
acl Statement Grammar
acl Statement Definition and Usage
controls Statement Grammar
controls Statement Definition and Usage
include Statement Grammar
include Statement Definition and Usage
key Statement Grammar
key Statement Definition and Usage
logging Statement Grammar
logging Statement Definition and Usage
masters Statement Grammar
masters Statement Definition and Usage
options Statement Grammar
options Statement Definition and Usage
server Statement Grammar
server Statement Definition and Usage
statistics-channels Statement Grammar
statistics-channels Statement Definition and Usage
trust-anchors Statement Grammar
trust-anchors Statement Definition and Usage
dnssec-policy Statement Grammar
dnssec-policy Statement Definition and Usage
managed-keys Statement Grammar
managed-keys Statement Definition and Usage
trusted-keys Statement Grammar
trusted-keys Statement Definition and Usage
view Statement Grammar
view Statement Definition and Usage
zone Statement Grammar
zone Statement Definition and Usage
Zone File
Types of Resource Records and When to Use Them
Discussion of MX Records
Setting TTLs
Inverse Mapping in IPv4
Other Zone File Directives
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
The Statistics File
Statistics Counters
6. BIND 9 Security Considerations
Access Control Lists
Chroot and Setuid
The chroot Environment
Using the setuid Function
Dynamic Update Security
7. Troubleshooting
Common Problems
It's not working; how can I figure out what's wrong?
EDNS compliance issues
Incrementing and Changing the Serial Number
Where Can I Get Help?
A. Release Notes
Release Notes for BIND Version 9.15.7
Note on Version Numbering
Supported Platforms
Notes for BIND 9.15.7
Notes for BIND 9.15.6
Notes for BIND 9.15.5
Notes for BIND 9.15.4
Notes for BIND 9.15.3
Notes for BIND 9.15.2
Notes for BIND 9.15.1
Notes for BIND 9.15.0
End of Life
Thank You
B. A Brief History of the DNS and BIND
C. General DNS Reference Information
IPv6 addresses (AAAA)
Bibliography (and Suggested Reading)
Request for Comments (RFCs)
Internet Drafts
Other Documents About BIND
D. BIND 9 DNS Library Support
BIND 9 DNS Library Support
Known Defects/Restrictions
The dns.conf File
Sample Applications
Library References
I. Manual pages
arpaname — translate IP addresses to the corresponding ARPA names
ddns-confgen — ddns key generation tool
delv — DNS lookup and validation utility
dig — DNS lookup utility
dnssec-cds — change DS records for a child zone based on CDS/CDNSKEY
dnssec-checkds — DNSSEC delegation consistency checking tool
dnssec-coverage — checks future DNSKEY coverage for a zone
dnssec-dsfromkey — DNSSEC DS RR generation tool
dnssec-importkey — import DNSKEY records from external systems so they can be managed
dnssec-keyfromlabel — DNSSEC key generation tool
dnssec-keygen — DNSSEC key generation tool
dnssec-keymgr — Ensures correct DNSKEY coverage for a zone based on a defined policy
dnssec-revoke — set the REVOKED bit on a DNSSEC key
dnssec-settime — set the key timing metadata for a DNSSEC key
dnssec-signzone — DNSSEC zone signing tool
dnssec-verify — DNSSEC zone verification tool
dnstap-read — print dnstap data in human-readable form — filter AAAA in DNS responses when A is present
host — DNS lookup utility
mdig — DNS pipelined lookup utility
named-checkconf — named configuration file syntax checking tool
named-checkzone — zone file validity checking or converting tool
named-journalprint — print zone journal in human-readable form
named-nzd2nzf — Convert an NZD database to NZF text format
named-rrchecker — syntax checker for individual DNS resource records
named.conf — configuration file for named
named — Internet domain name server
nsec3hash — generate NSEC3 hash
nslookup — query Internet name servers interactively
nsupdate — Dynamic DNS update utility
pkcs11-destroy — destroy PKCS#11 objects
pkcs11-keygen — generate keys on a PKCS#11 device
pkcs11-list — list PKCS#11 objects
pkcs11-tokens — list PKCS#11 available tokens
rndc-confgen — rndc key generation tool
rndc.conf — rndc configuration file
rndc — name server control utility

BIND 9.15.7 (Development Release)