Date: Mon, 28 May 2018 23:38:40 +0000 (UTC) From: Eitan Adler <eadler@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r51739 - head/en_US.ISO8859-1/books/handbook/network-servers Message-ID: <201805282338.w4SNceb1011903@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: eadler Date: Mon May 28 23:38:40 2018 New Revision: 51739 URL: https://svnweb.freebsd.org/changeset/doc/51739 Log: handbook: remove information about BIND for FreeBSD 9 and older There is no supported version of FreeBSD that still includes BIND in case. Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Mon May 28 23:24:41 2018 (r51738) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Mon May 28 23:38:40 2018 (r51739) @@ -2972,22 +2972,6 @@ dhcpd_ifaces="dc0"</programlisting> necessary to run a name server to perform <acronym>DNS</acronym> lookups on a system.</para> - <indexterm><primary>BIND</primary></indexterm> - - <para>In &os; 10, the Berkeley Internet Name Domain - (<acronym>BIND</acronym>) has been removed from the base system - and replaced with Unbound. Unbound as configured in the &os; - Base is a local caching resolver. <acronym>BIND</acronym> is - still available from The Ports Collection as <package - role="port">dns/bind99</package> or <package - role="port">dns/bind98</package>. In &os; 9 and lower, - <acronym>BIND</acronym> is included in &os; Base. The &os; - version provides enhanced security features, a new file system - layout, and automated &man.chroot.8; configuration. - <acronym>BIND</acronym> is maintained by the <link - xlink:href="https://www.isc.org/">Internet Systems - Consortium</link>.</para> - <indexterm><primary>resolver</primary></indexterm> <indexterm><primary>reverse <acronym>DNS</acronym></primary></indexterm> @@ -3024,12 +3008,6 @@ dhcpd_ifaces="dc0"</programlisting> </row> <row> - <entry><application>named</application>, BIND</entry> - <entry>Common names for the BIND name server package - within &os;.</entry> - </row> - - <row> <entry>Resolver</entry> <entry>A system process through which a machine queries a name server for zone information.</entry> @@ -3158,15 +3136,8 @@ dhcpd_ifaces="dc0"</programlisting> </sect2> <sect2> - <title><acronym>DNS</acronym> Server Configuration in &os; 10.0 - and Later</title> + <title><acronym>DNS</acronym> Server Configuration</title> - <para>In &os; 10.0, <application>BIND</application> has been - replaced with <application>Unbound</application>. - <application>Unbound</application> is a validating caching - resolver only. If an authoritative server is needed, many are - available from the Ports Collection.</para> - <para><application>Unbound</application> is provided in the &os; base system. By default, it will provide <acronym>DNS</acronym> resolution to the local machine only. @@ -3229,1232 +3200,6 @@ freebsd.org. (A) |---. (DNSKEY keytag: 40926 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful</screen> - </sect2> - - <sect2> - <title>DNS Server Configuration in &os; - 9.<replaceable>X</replaceable></title> - - <important> - <para>This chapter is only applicable to &os; 9 and before. - <application>BIND9</application> is no longer part of the - base system in &os; 10 and after, where it has been replaced - with <application>unbound</application>.</para> - </important> - - <para>In &os;, the BIND daemon is called - <application>named</application>.</para> - - <informaltable frame="none" pgwide="1"> - <tgroup cols="2"> - <thead> - <row> - <entry>File</entry> - <entry>Description</entry> - </row> - </thead> - - <tbody> - <row> - <entry>&man.named.8;</entry> - <entry>The BIND daemon.</entry> - </row> - - <row> - <entry>&man.rndc.8;</entry> - <entry>Name server control utility.</entry> - </row> - - <row> - <entry><filename>/etc/namedb</filename></entry> - <entry>Directory where BIND zone information - resides.</entry> - </row> - - <row> - <entry><filename>/etc/namedb/named.conf</filename></entry> - <entry>Configuration file of the daemon.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Depending on how a given zone is configured on the server, - the files related to that zone can be found in the - <filename>master</filename>, - <filename>slave</filename>, or - <filename>dynamic</filename> subdirectories - of the <filename>/etc/namedb</filename> - directory. These files contain the <acronym>DNS</acronym> - information that will be given out by the name server in - response to queries.</para> - - <sect3> - <title>Starting BIND</title> - - <indexterm> - <primary>BIND</primary> - <secondary>starting</secondary> - </indexterm> - - <para>Since BIND is installed by default, configuring it is - relatively simple.</para> - - <para>The default <application>named</application> - configuration is that of a basic resolving name server, - running in a &man.chroot.8; environment, and restricted to - listening on the local IPv4 loopback address (127.0.0.1). - To start the server one time with this configuration, use - the following command:</para> - - <screen>&prompt.root; <userinput>service named onestart</userinput></screen> - - <para>To ensure the <application>named</application> daemon is - started at boot each time, put the following line into the - <filename>/etc/rc.conf</filename>:</para> - - <programlisting>named_enable="YES"</programlisting> - - <para>There are many configuration options for - <filename>/etc/namedb/named.conf</filename> that are beyond - the scope of this document. Other startup options for - <application>named</application> on &os; can be found in the - <literal>named_<replaceable>*</replaceable></literal> flags - in <filename>/etc/defaults/rc.conf</filename> and in - &man.rc.conf.5;. The <xref linkend="configtuning-rcd"/> - section is also a good read.</para> - </sect3> - - <sect3> - <title>Configuration Files</title> - - <indexterm> - <primary>BIND</primary> - <secondary>configuration files</secondary> - </indexterm> - - <para>Configuration files for <application>named</application> - currently reside in <filename>/etc/namedb</filename> - directory and will need modification before use unless all - that is needed is a simple resolver. This is where most of - the configuration will be performed.</para> - - <sect4> - <title><filename>/etc/namedb/named.conf</filename></title> - - <programlisting>// <phrase its:translate="no">$FreeBSD$</phrase> -// -// Refer to the named.conf(5) and named(8) man pages, and the documentation -// in /usr/share/doc/bind9 for more details. -// -// If you are going to set up an authoritative server, make sure you -// understand the hairy details of how DNS works. Even with -// simple mistakes, you can break connectivity for affected parties, -// or cause huge amounts of useless Internet traffic. - -options { - // All file and path names are relative to the chroot directory, - // if any, and should be fully qualified. - directory "/etc/namedb/working"; - pid-file "/var/run/named/pid"; - dump-file "/var/dump/named_dump.db"; - statistics-file "/var/stats/named.stats"; - -// If named is being used only as a local resolver, this is a safe default. -// For named to be accessible to the network, comment this option, specify -// the proper IP address, or delete this option. - listen-on { 127.0.0.1; }; - -// If you have IPv6 enabled on this system, uncomment this option for -// use as a local resolver. To give access to the network, specify -// an IPv6 address, or the keyword "any". -// listen-on-v6 { ::1; }; - -// These zones are already covered by the empty zones listed below. -// If you remove the related empty zones below, comment these lines out. - disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; - disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; - disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; - -// If you have a DNS server around at your upstream provider, enter -// its IP address here, and enable the line below. This will make you -// benefit from its cache, thus reduce overall DNS traffic in the Internet. -/* - forwarders { - 127.0.0.1; - }; -*/ - -// If the 'forwarders' clause is not empty the default is to 'forward first' -// which will fall back to sending a query from your local server if the name -// servers in 'forwarders' do not have the answer. Alternatively you can -// force your name server to never initiate queries of its own by enabling the -// following line: -// forward only; - -// If you wish to have forwarding configured automatically based on -// the entries in /etc/resolv.conf, uncomment the following line and -// set named_auto_forward=yes in /etc/rc.conf. You can also enable -// named_auto_forward_only (the effect of which is described above). -// include "/etc/namedb/auto_forward.conf";</programlisting> - - <para>Just as the comment says, to benefit from an uplink's - cache, <literal>forwarders</literal> can be enabled here. - Under normal circumstances, a name server will recursively - query the Internet looking at certain name servers until - it finds the answer it is looking for. Having this - enabled will have it query the uplink's name server (or - name server provided) first, taking advantage of its - cache. If the uplink name server in question is a heavily - trafficked, fast name server, enabling this may be - worthwhile.</para> - - <warning> - <para><systemitem class="ipaddress">127.0.0.1</systemitem> - will <emphasis>not</emphasis> work here. Change this - <acronym>IP</acronym> address to a name server at the - uplink.</para> - </warning> - - <programlisting> /* - Modern versions of BIND use a random <acronym>UDP</acronym> port for each outgoing - query by default in order to dramatically reduce the possibility - of cache poisoning. All users are strongly encouraged to utilize - this feature, and to configure their firewalls to accommodate it. - - AS A LAST RESORT in order to get around a restrictive firewall - policy you can try enabling the option below. Use of this option - will significantly reduce your ability to withstand cache poisoning - attacks, and should be avoided if at all possible. - - Replace NNNNN in the example with a number between 49160 and 65530. - */ - // query-source address * port NNNNN; -}; - -// If you enable a local name server, do not forget to enter 127.0.0.1 -// first in your /etc/resolv.conf so this server will be queried. -// Also, make sure to enable it in /etc/rc.conf. - -// The traditional root hints mechanism. Use this, OR the slave zones below. -zone "." { type hint; file "/etc/namedb/named.root"; }; - -/* Slaving the following zones from the root name servers has some - significant advantages: - 1. Faster local resolution for your users - 2. No spurious traffic will be sent from your network to the roots - 3. Greater resilience to any potential root server failure/DDoS - - On the other hand, this method requires more monitoring than the - hints file to be sure that an unexpected failure mode has not - incapacitated your server. Name servers that are serving a lot - of clients will benefit more from this approach than individual - hosts. Use with caution. - - To use this mechanism, uncomment the entries below, and comment - the hint zone above. - - As documented at http://dns.icann.org/services/axfr/ these zones: - "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET - are available for AXFR from these servers on IPv4 and IPv6: - xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org -*/ -/* -zone "." { - type slave; - file "/etc/namedb/slave/root.slave"; - masters { - 192.5.5.241; // F.ROOT-SERVERS.NET. - }; - notify no; -}; -zone "arpa" { - type slave; - file "/etc/namedb/slave/arpa.slave"; - masters { - 192.5.5.241; // F.ROOT-SERVERS.NET. - }; - notify no; -}; -*/ - -/* Serving the following zones locally will prevent any queries - for these zones leaving your network and going to the root - name servers. This has two significant advantages: - 1. Faster local resolution for your users - 2. No spurious traffic will be sent from your network to the roots -*/ -// RFCs 1912 and 5735 (and BCP 32 for localhost) -zone "localhost" { type master; file "/etc/namedb/master/localhost-forward.db"; }; -zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; -zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// RFC 1912-style zone for IPv6 localhost address -zone "0.ip6.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; - -// "This" Network (RFCs 1912 and 5735) -zone "0.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// Private Use Networks (RFCs 1918 and 5735) -zone "10.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// Link-local/APIPA (RFCs 3927 and 5735) -zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IETF protocol assignments (RFCs 5735 and 5736) -zone "0.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// TEST-NET-[1-3] for Documentation (RFCs 5735 and 5737) -zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IPv6 Range for Documentation (RFC 3849) -zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// Domain Names for Documentation and Testing (BCP 32) -zone "test" { type master; file "/etc/namedb/master/empty.db"; }; -zone "example" { type master; file "/etc/namedb/master/empty.db"; }; -zone "invalid" { type master; file "/etc/namedb/master/empty.db"; }; -zone "example.com" { type master; file "/etc/namedb/master/empty.db"; }; -zone "example.net" { type master; file "/etc/namedb/master/empty.db"; }; -zone "example.org" { type master; file "/etc/namedb/master/empty.db"; }; - -// Router Benchmark Testing (RFCs 2544 and 5735) -zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IANA Reserved - Old Class E Space (RFC 5735) -zone "240.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "241.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "242.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "243.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "244.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "245.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "246.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "247.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "248.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "249.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "250.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "251.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "252.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "253.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "254.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IPv6 Unassigned Addresses (RFC 4291) -zone "1.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "3.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "4.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "5.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "6.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "7.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "8.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "9.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "a.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "b.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "c.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "d.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "e.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "0.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "1.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "2.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "3.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "4.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "5.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "6.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "7.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "8.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "9.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "a.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "b.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "0.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "1.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "2.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "3.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "4.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "5.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "6.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "7.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IPv6 ULA (RFC 4193) -zone "c.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "d.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IPv6 Link Local (RFC 4291) -zone "8.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "9.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "a.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "b.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IPv6 Deprecated Site-Local Addresses (RFC 3879) -zone "c.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "d.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "e.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; -zone "f.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; - -// IP6.INT is Deprecated (RFC 4159) -zone "ip6.int" { type master; file "/etc/namedb/master/empty.db"; }; - -// NB: Do not use the IP addresses below, they are faked, and only -// serve demonstration/documentation purposes! -// -// Example slave zone config entries. It can be convenient to become -// a slave at least for the zone your own domain is in. Ask -// your network administrator for the IP address of the responsible -// master name server. -// -// Do not forget to include the reverse lookup zone! -// This is named after the first bytes of the IP address, in reverse -// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. -// -// Before starting to set up a master zone, make sure you fully -// understand how DNS and BIND work. There are sometimes -// non-obvious pitfalls. Setting up a slave zone is usually simpler. -// -// NB: Do not blindly enable the examples below. :-) Use actual names -// and addresses instead. - -/* An example dynamic zone -key "exampleorgkey" { - algorithm hmac-md5; - secret "sf87HJqjkqh8ac87a02lla=="; -}; -zone "example.org" { - type master; - allow-update { - key "exampleorgkey"; - }; - file "/etc/namedb/dynamic/example.org"; -}; -*/ - -/* Example of a slave reverse zone -zone "1.168.192.in-addr.arpa" { - type slave; - file "/etc/namedb/slave/1.168.192.in-addr.arpa"; - masters { - 192.168.1.1; - }; -}; -*/</programlisting> - - <para>In <filename>named.conf</filename>, these are examples - of slave entries for a forward and reverse zone.</para> - - <para>For each new zone served, a new zone entry must be - added to <filename>named.conf</filename>.</para> - - <para>For example, the simplest zone entry for - <systemitem class="fqdomainname">example.org</systemitem> - can look like:</para> - - <programlisting>zone "example.org" { - type master; - file "master/example.org"; -};</programlisting> - - <para>The zone is a master, as indicated by the - <option>type</option> statement, holding its zone - information in - <filename>/etc/namedb/master/example.org</filename> - indicated by the <option>file</option> statement.</para> - - <programlisting>zone "example.org" { - type slave; - file "slave/example.org"; -};</programlisting> - - <para>In the slave case, the zone information is transferred - from the master name server for the particular zone, and - saved in the file specified. If and when the master - server dies or is unreachable, the slave name server will - have the transferred zone information and will be able to - serve it.</para> - </sect4> - - <sect4> - <title>Zone Files</title> - - <indexterm> - <primary>BIND</primary> - <secondary>zone files</secondary> - </indexterm> - - <para>An example master zone file for - <systemitem class="fqdomainname">example.org</systemitem> - (existing within - <filename>/etc/namedb/master/example.org</filename>) is as - follows:</para> - - <programlisting>$TTL 3600 ; 1 hour default TTL -example.org. IN SOA ns1.example.org. admin.example.org. ( - 2006051501 ; Serial - 10800 ; Refresh - 3600 ; Retry - 604800 ; Expire - 300 ; Negative Response TTL - ) - -; DNS Servers - IN NS ns1.example.org. - IN NS ns2.example.org. - -; MX Records - IN MX 10 mx.example.org. - IN MX 20 mail.example.org. - - IN A 192.168.1.1 - -; Machine Names -localhost IN A 127.0.0.1 -ns1 IN A 192.168.1.2 -ns2 IN A 192.168.1.3 -mx IN A 192.168.1.4 -mail IN A 192.168.1.5 - -; Aliases -www IN CNAME example.org.</programlisting> - - <para>Note that every hostname ending in a <quote>.</quote> - is an exact hostname, whereas everything without a - trailing <quote>.</quote> is relative to the origin. For - example, <literal>ns1</literal> is translated into - <literal>ns1.<replaceable>example.org.</replaceable></literal></para> - - <para>The format of a zone file follows:</para> - - <programlisting>recordname IN recordtype value</programlisting> - - <indexterm> - <primary><acronym>DNS</acronym></primary> - <secondary>records</secondary> - </indexterm> - - <para>The most commonly used <acronym>DNS</acronym> - records:</para> - - <variablelist> - <varlistentry> - <term>SOA</term> - - <listitem> - <para>start of zone authority</para> - </listitem> - </varlistentry> - - <varlistentry> - <term>NS</term> - - <listitem> - <para>an authoritative name server</para> - </listitem> - </varlistentry> - - <varlistentry> - <term>A</term> - - <listitem> - <para>a host address</para> - </listitem> - </varlistentry> - - <varlistentry> - <term>CNAME</term> - - <listitem> - <para>the canonical name for an alias</para> - </listitem> - </varlistentry> - - <varlistentry> - <term>MX</term> - - <listitem> - <para>mail exchanger</para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PTR</term> - - <listitem> - <para>a domain name pointer (used in reverse - <acronym>DNS</acronym>)</para> - </listitem> - </varlistentry> - </variablelist> - - <programlisting>example.org. IN SOA ns1.example.org. admin.example.org. ( - 2006051501 ; Serial - 10800 ; Refresh after 3 hours - 3600 ; Retry after 1 hour - 604800 ; Expire after 1 week - 300 ) ; Negative Response TTL</programlisting> - - <variablelist> - <varlistentry> - <term><systemitem - class="fqdomainname">example.org.</systemitem></term> - - <listitem> - <para>the domain name, also the origin for this - zone file.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><systemitem - class="fqdomainname">ns1.example.org.</systemitem></term> - - <listitem> - <para>the primary/authoritative name server for this - zone.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><literal>admin.example.org.</literal></term> - - <listitem> - <para>the responsible person for this zone, - email address with <quote>@</quote> - replaced. (<email>admin@example.org</email> becomes - <literal>admin.example.org</literal>)</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><literal>2006051501</literal></term> - - <listitem> - <para>the serial number of the file. This must be - incremented each time the zone file is modified. - Nowadays, many admins prefer a - <literal>yyyymmddrr</literal> format for the serial - number. <literal>2006051501</literal> would mean - last modified 05/15/2006, the latter - <literal>01</literal> being the first time the zone - file has been modified this day. The serial number - is important as it alerts slave name servers for a - zone when it is updated.</para> - </listitem> - </varlistentry> - </variablelist> - - <programlisting> IN NS ns1.example.org.</programlisting> - - <para>This is an NS entry. Every name server that is going - to reply authoritatively for the zone must have one of - these entries.</para> - - <programlisting>localhost IN A 127.0.0.1 -ns1 IN A 192.168.1.2 -ns2 IN A 192.168.1.3 -mx IN A 192.168.1.4 -mail IN A 192.168.1.5</programlisting> - - <para>The A record indicates machine names. As seen above, - <systemitem - class="fqdomainname">ns1.example.org</systemitem> would - resolve to <systemitem - class="ipaddress">192.168.1.2</systemitem>.</para> - - <programlisting> IN A 192.168.1.1</programlisting> - - <para>This line assigns <acronym>IP</acronym> address - <systemitem class="ipaddress">192.168.1.1</systemitem> to - the current origin, in this case <systemitem - class="fqdomainname">example.org</systemitem>.</para> - - <programlisting>www IN CNAME @</programlisting> - - <para>The canonical name record is usually used for giving - aliases to a machine. In the example, - <systemitem>www</systemitem> is aliased to the - <quote>master</quote> machine whose name happens to be the - same as the domain name - <systemitem class="fqdomainname">example.org</systemitem> - (<systemitem class="ipaddress">192.168.1.1</systemitem>). - CNAMEs can never be used together with another kind of - record for the same hostname.</para> - - <indexterm> - <primary>MX record</primary> - </indexterm> - - <programlisting> IN MX 10 mail.example.org.</programlisting> - - <para>The MX record indicates which mail servers are - responsible for handling incoming mail for the zone. - <systemitem - class="fqdomainname">mail.example.org</systemitem> is - the hostname of a mail server, and 10 is the priority of - that mail server.</para> - - <para>One can have several mail servers, with priorities of - 10, 20 and so on. A mail server attempting to deliver to - <systemitem class="fqdomainname">example.org</systemitem> - would first try the highest priority MX (the record with - the lowest priority number), then the second highest, etc, - until the mail can be properly delivered.</para> - - <para>For in-addr.arpa zone files (reverse - <acronym>DNS</acronym>), the same format is used, except - with PTR entries instead of A or CNAME.</para> - - <programlisting>$TTL 3600 - -1.168.192.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. ( - 2006051501 ; Serial - 10800 ; Refresh - 3600 ; Retry - 604800 ; Expire - 300 ) ; Negative Response TTL - - IN NS ns1.example.org. - IN NS ns2.example.org. - -1 IN PTR example.org. -2 IN PTR ns1.example.org. -3 IN PTR ns2.example.org. -4 IN PTR mx.example.org. -5 IN PTR mail.example.org.</programlisting> - - <para>This file gives the proper <acronym>IP</acronym> - address to hostname mappings for the above fictitious - domain.</para> - - <para>It is worth noting that all names on the right side - of a PTR record need to be fully qualified (i.e., end in - a <quote>.</quote>).</para> - </sect4> - </sect3> - - <sect3> - <title>Caching Name Server</title> - - <indexterm> - <primary>BIND</primary> - <secondary>caching name server</secondary> - </indexterm> - - <para>A caching name server is a name server whose primary - role is to resolve recursive queries. It simply asks - queries of its own, and remembers the answers for later - use.</para> - </sect3> - - <sect3> - <title><acronym role="Domain Name Security - Extensions">DNSSEC</acronym></title> - - <indexterm> - <primary>BIND</primary> - <secondary><acronym>DNS</acronym> security - extensions</secondary> - </indexterm> - - <para>Domain Name System Security Extensions, or <acronym - role="Domain Name Security Extensions">DNSSEC</acronym> - for short, is a suite of specifications to protect resolving - name servers from forged <acronym>DNS</acronym> data, such - as spoofed <acronym>DNS</acronym> records. By using digital - signatures, a resolver can verify the integrity of the - record. Note that <acronym role="Domain Name Security - Extensions">DNSSEC</acronym> only provides integrity via - digitally signing the Resource Records (<acronym - role="Resource Record">RR</acronym>s). It provides - neither confidentiality nor protection against false - end-user assumptions. This means that it cannot protect - against people going to - <systemitem class="fqdomainname">example.net</systemitem> - instead of - <systemitem class="fqdomainname">example.com</systemitem>. - The only thing <acronym>DNSSEC</acronym> does is - authenticate that the data has not been compromised in - transit. The security of <acronym>DNS</acronym> is an - important step in securing the Internet in general. For - more in-depth details of how <acronym>DNSSEC</acronym> - works, the relevant <acronym>RFC</acronym>s are a good place - to start. See the list in - <xref linkend="dns-read"/>.</para> - - <para>The following sections will demonstrate how to enable - <acronym>DNSSEC</acronym> for an authoritative - <acronym>DNS</acronym> server and a recursive (or caching) - <acronym>DNS</acronym> server running - <acronym>BIND</acronym> 9. While all versions of - <acronym>BIND</acronym> 9 support <acronym>DNSSEC</acronym>, - it is necessary to have at least version 9.6.2 in order to - be able to use the signed root zone when validating - <acronym>DNS</acronym> queries. This is because earlier - versions lack the required algorithms to enable validation - using the root zone key. It is strongly recommended to use - the latest version of <acronym>BIND</acronym> 9.7 or later - to take advantage of automatic key updating for the root - key, as well as other features to automatically keep zones - signed and signatures up to date. Where configurations - differ between 9.6.2 and 9.7 and later, differences will be - pointed out.</para> - - <sect4> - <title>Recursive <acronym>DNS</acronym> Server - Configuration</title> - - <para>Enabling <acronym>DNSSEC</acronym> validation of - queries performed by a recursive <acronym>DNS</acronym> - server requires a few changes to - <filename>named.conf</filename>. Before making these - changes the root zone key, or trust anchor, must be - acquired. Currently the root zone key is not available in - a file format <acronym>BIND</acronym> understands, so it - has to be manually converted into the proper format. The - key itself can be obtained by querying the root zone for - it using <application>dig</application>. By - running</para> - - <screen>&prompt.user; <userinput>dig +multi +noall +answer DNSKEY . > root.dnskey</userinput></screen> - - <para>the key will end up in - <filename>root.dnskey</filename>. The contents should - look something like this:</para> - - <programlisting>. 93910 IN DNSKEY 257 3 8 ( - AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ - bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh - /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA - JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp - oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 - LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO - Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc - LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= - ) ; key id = 19036 -. 93910 IN DNSKEY 256 3 8 ( - AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf - UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE - g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V - EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt -) ; key id = 34525</programlisting> - - <para>Do not be alarmed if the obtained keys differ from - this example. They might have changed since these - instructions were last updated. This output actually - contains two keys. The first key in the listing, with the - value 257 after the DNSKEY record type, is the one needed. - This value indicates that this is a Secure Entry Point - (<acronym role="Secure Entry Point">SEP</acronym>), - commonly known as a Key Signing Key - (<acronym role="Key Signing Key">KSK</acronym>). The - second key, with value 256, is a subordinate key, commonly - called a Zone Signing Key - (<acronym role="Zone Signing Key">ZSK</acronym>). More on - the different key types later in - <xref linkend="dns-dnssec-auth"/>.</para> - - <para>Now the key must be verified and formatted so that - <acronym>BIND</acronym> can use it. To verify the key, - generate a <acronym role="Delegation Signer">DS</acronym> - <acronym role="Resource Record">RR</acronym> set. Create - a file containing these - <acronym role="Resource Record">RR</acronym>s with</para> - - <screen>&prompt.user; <userinput>dnssec-dsfromkey -f root.dnskey . > root.ds</userinput></screen> - - <para>These records use SHA-1 and SHA-256 respectively, and - should look similar to the following example, where the - longer is using SHA-256.</para> - - <programlisting>. IN DS 19036 8 1 - B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E -. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</programlisting> - - <para>The SHA-256 <acronym>RR</acronym> can now be compared - to the digest in <link - xlink:href="https://data.iana.org/root-anchors/root-anchors.xml">https://data.iana.org/root-anchors/root-anchors.xml</link>. - To be absolutely sure that the key has not been tampered - with the data in the <acronym>XML</acronym> file should be - verified using a proper <acronym>PGP</acronym> signature.</para> - - - <para>Next, the key must be formatted properly. This - differs a little between <acronym>BIND</acronym> versions - 9.6.2 and 9.7 and later. In version 9.7 support was added - to automatically track changes to the key and update it as - necessary. This is done using - <literal>managed-keys</literal> as seen in the example - below. When using the older version, the key is added - using a <literal>trusted-keys</literal> statement and - updates must be done manually. For - <acronym>BIND</acronym> 9.6.2 the format should look - like:</para> - - <programlisting>trusted-keys { - "." 257 3 8 - "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq - QxA+Uk1ihz0="; -};</programlisting> - - <para>For 9.7 the format will instead be:</para> - - <programlisting>managed-keys { - "." initial-key 257 3 8 - "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq - QxA+Uk1ihz0="; -};</programlisting> - - <para>The root key can now be added to - <filename>named.conf</filename> either directly or by - including a file containing the key. After these steps, - configure <acronym>BIND</acronym> to do - <acronym>DNSSEC</acronym> validation on queries by editing - <filename>named.conf</filename> and adding the following - to the <literal>options</literal> directive:</para> - - <programlisting>dnssec-enable yes; -dnssec-validation yes;</programlisting> - - <para>To verify that it is actually working use - <application>dig</application> to make a query for a - signed zone using the resolver just configured. A - successful reply will contain the <literal>AD</literal> - flag to indicate the data was authenticated. Running a - query such as</para> - - <screen>&prompt.user; <userinput>dig @<replaceable>resolver</replaceable> +dnssec se ds </userinput></screen> - - <para>should return the <acronym>DS</acronym> - <acronym>RR</acronym> for the <literal>.se</literal> zone. - In the <literal>flags:</literal> section the - <literal>AD</literal> flag should be set, as seen - in:</para> - - <programlisting>... -;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 -...</programlisting> - - <para>The resolver is now capable of authenticating - <acronym>DNS</acronym> queries.</para> - </sect4> - - <sect4 xml:id="dns-dnssec-auth"> - <title>Authoritative <acronym>DNS</acronym> Server - Configuration</title> - - <para>In order to get an authoritative name server to serve - a <acronym>DNSSEC</acronym> signed zone a little more work - is required. A zone is signed using cryptographic keys *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201805282338.w4SNceb1011903>