The Internet Domain Name System (DNS) consists of the syntax to specify the names of entities in the Internet in a hierarchical manner, the rules used for delegating authority over names, and the system implementation that actually maps names to Internet addresses. DNS data is maintained in a group of distributed hierarchical databases.
The Berkeley Internet Name Domain (BIND) implements an Internet nameserver for a number of operating systems. This document provides basic information about the installation and care of the Internet Software Consortium (ISC) BIND version 9 software package for system administrators.
In this document, Section 1 introduces the basic DNS and BIND concepts. Section 2 describes resource requirements for running BIND in various environments. Information in Section 3 is task-oriented in its presentation and is organized functionally, to aid in the process of installing the BIND 9 software. The task-oriented section is followed by Section 4 , which contains more advanced concepts that the system administrator may need for implementing certain options. Section 5 describes the BIND 9 lightweight resolver. The contents of Section 6 are organized as in a reference manual to aid in the ongoing maintenance of the software. Section 7 addresses security considerations, and Section 8 contains troubleshooting help. The main body of the document is followed by several Appendices which contain useful reference information, such as a Bibliography and historic information related to BIND and the Domain Name System.
In this document, we use the following general typographic conventions:
|
a pathname, filename, URL, hostname, |
|
The following conventions are used in descriptions of the BIND configuration file:
Sans Serif Italic |
|
|
"meta-syntactic" information (within brackets when optional) |
|
The purpose of this document is to explain the installation and basic upkeep of the BIND software package, and we begin by reviewing the fundamentals of the domain naming system as they relate to BIND. BIND consists of a
nameserver
(or "daemon") called
named
and a
resolver
library. The BIND server runs in the background, servicing queries on a well known network port. The standard port for the User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), usually port 53, is specified in
/etc/services
. The
resolver
is a set of routines residing in a system library that provides the interface that programs can use to access the domain name services.
A nameserver (NS) is a program that stores information about named resources and responds to queries from programs called resolvers which act as client processes. The basic function of an NS is to provide information about network objects by answering queries.
With the nameserver, the network can be broken into a hierarchy of domains. The name space is organized as a tree according to organizational or administrative boundaries. Each node of the tree, called a domain, is given a label. The name of the domain is the concatenation of all the labels of the domains from the root to the current domain. This is represented in written form as a string of labels listed from right to left and separated by dots. A label need only be unique within its domain. The whole name space is partitioned into areas called zones , each starting at a domain and extending down to the leaf domains or to domains where other zones start. Zones usually represent administrative boundaries. For example, a domain name for a host at the company Example, Inc. would be:
where com is the top level domain to which ourhost.example.com belongs, example is a subdomain of com , and ourhost is the name of the host.
The specifications for the domain nameserver are defined in the RFC 1034, RFC 1035 and RFC 974. These documents can be found in
/usr/src/etc/named/doc
in 4.4BSD or are available via File Transfer Protocol (FTP) from
ftp://www.isi.edu/in-notes/
or via the Web at
http://www.ietf.org/rfc/
. (See Appendix C for complete information on finding and retrieving RFCs.) It is also recommended that you read the related man pages:
named
and
resolver
.
As we stated previously, a zone is a point of delegation in the DNS tree. A zone consists of those contiguous parts of the domain tree for which a domain server has complete information and over which it has authority. It contains all domain names from a certain point downward in the domain tree except those which are delegated to other zones. A delegation point has one or more NS records in the parent zone, which should be matched by equivalent NS records at the root of the delegated zone.
To properly operate a nameserver, it is important to understand the difference between a zone and a domain .
For instance, consider the example.com domain which includes names such as host.aaa.example.com and host.bbb.example.com even though the example.com zone includes only delegations for the aaa.example.com and bbb.example.com zones. A zone can map exactly to a single domain, but could also include only part of a domain, the rest of which could be delegated to other nameservers. Every name in the DNS tree is a domain , even if it is terminal , that is, has no subdomains . Every subdomain is a domain and every domain except the root is also a subdomain. The terminology is not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to gain a complete understanding of this difficult and subtle topic.
Though BIND is a Domain Nameserver, it deals primarily in terms of zones. The master and slave declarations in the named.conf file specify zones, not domains. When you ask some other site if it is willing to be a slave server for your domain , you are actually asking for slave service for some collection of zones.
Each zone will have one
primary master
(also called
primary
) server which loads the zone contents from some local file edited by humans or perhaps generated mechanically from some other local file which is edited by humans. There there will be some number of
slave
(also called
secondary)
servers, which load the zone contents using the DNS protocol (that is, the secondary servers will contact the primary and fetch the zone data using TCP). This set of servers--the primary and all of its secondaries--should be listed in the NS records in the parent zone and will constitute a
delegation
. This set of servers must also be listed in the zone file itself, usually under the
@
name which indicates the
top level
or
root
of the current zone. You can list servers in the zone's top-level
@
NS records that are not in the parent's NS delegation, but you cannot list servers in the parent's delegation that are not present in the zone's
@
.
Any servers listed in the NS records must be configured as authoritative for the zone. A server is authoritative for a zone when it has been configured to answer questions for that zone with authority, which it does by setting the "authoritative answer" (AA) bit in reply packets. A server may be authoritative for more than one zone. The authoritative data for a zone is composed of all of the Resource Records (RRs)--the data associated with names in a tree-structured name space--attached to all of the nodes from the top node of the zone down to leaf nodes or nodes above cuts around the bottom edge of the zone.
Adding a zone as a type master or type slave will tell the server to answer questions for the zone authoritatively. If the server is able to load the zone into memory without any errors it will set the AA bit when it replies to queries for the zone. See RFCs 1034 and 1035 for more information about the AA bit.
A DNS server can be master for some zones and slave for others or can be only a master, or only a slave, or can serve no zones and just answer queries via its cache . Master servers are often also called primaries and slave servers are often also called secondaries . Both master/primary and slave/secondary servers are authoritative for a zone.
All servers keep data in their cache until the data expires, based on a Time To Live (TTL) field which is maintained for all resource records.
The primary master server is the ultimate source of information about a domain. The primary master is an authoritative server configured to be the source of zone transfer for one or more secondary servers. The primary master server obtains data for the zone from a file on disk.
A slave server , also called a secondary server , is an authoritative server that uses zone transfers from the primary master server to retrieve the zone data. Optionally, the slave server obtains zone data from a cache on disk. Slave servers provide necessary redundancy. All secondary/slave servers are named in the NS RRs for the zone.
Some servers are caching only servers . This means that the server caches the information that it receives and uses it until the data expires. A caching only server is a server that is not authoritative for any zone. This server services queries and asks other servers, who have the authority, for the information it needs.
Instead of interacting with the nameservers for the root and other domains, a forwarding server always forwards queries it cannot satisfy from its authoritative data or cache to a fixed list of other servers. The forwarded queries are also known as recursive queries , the same type as a client would send to a server. There may be one or more servers forwarded to, and they are queried in turn until the list is exhausted or an answer is found. A forwarding server is typically used when you do not wish all the servers at a given site to interact with the rest of the Internet servers. A typical scenario would involve a number of internal DNS servers and an Internet firewall. Servers unable to pass packets through the firewall would forward to the server that can do it, and that server would query the Internet DNS servers on the internal server's behalf. An added benefit of using the forwarding feature is that the central machine develops a much more complete cache of information that all the workstations can take advantage of.
There is no prohibition against declaring a server to be a forwarder even though it has master and/or slave zones as well; the effect will still be that anything in the local server's cache or zones will be answered, and anything else will be forwarded using the forwarders list.
A stealth server is a server that answers authoritatively for a zone, but is not listed in that zone's NS records. Stealth servers can be used as a way to centralize distribution of a zone, without having to edit the zone on a remote nameserver. Where the master file for a zone resides on a stealth server in this way, it is often referred to as a "hidden primary" configuration. Stealth servers can also be a way to keep a local copy of a zone for rapid access to the zone's records, even if all "official" nameservers for the zone are inaccessible.
Return to BIND 9 Administrator Reference Manual table of contents.