bind_manual_setup(7)bind_manual_setup(7)NAMEbind_manual_setup - Describes how to manually set up the Berkeley
Internet Name Domain (BIND) service on your network.
DESCRIPTION
Setting up a BIND domain includes configuring the following: Master
server Slave servers Stub servers Caching-only servers Forward-only
servers Clients
Note
Documentation for BIND prior to Version 8.1.1 referred to the master
server as a primary server and the slave server as a secondary server.
Though the terminology has changed, master and slave servers are still
referred to as having primary and secondary authority, respectively,
for zones.
SETTING UP THE MASTER SERVER
There can be only one master server in a BIND domain. Use the following
procedure to set up a BIND master server: Create the /etc/resolv.conf
file.
The /etc/resolv.conf file contains the domain name and the
Internet Protocol (IP) address for the local host. Format the
/etc/resolv.conf file as follows, substituting your domain name
for cities.dec.com:
# @(#)resolv.conf # # Description: The resolv.conf file lists
name-value pairs that # provide information to the
BIND resolver. # # Syntax: domain <domainname> #
and # nameserver <address> # # Caution: White
space entered after the domain name is not # ignored;
it is interpreted as part of the domain name. # # domain
<domainname> local domain name # nameserver <address>
Internet address of a name server #
that the resolver should query # domain cities.dec.com
nameserver 127.0.0.1 Create the database files by using the
following procedure: Copy into or create in the /etc/namedb/src
directory a file called hosts. The hosts file should have the
following format:
127.0.0.1 localhost 120.105.1.20 host1.cities.dec.com h1
#BIND server 120.105.1.142 host2 h2 120.105.1.1 host3 h3
#BIND server 120.105.1.13 host4 120.105.2.23 host5 h5
The first field is the IP address. The second field is the host
name. The third field is for aliases for the host name
(optional). The fourth field is comments, delineated by the
number sign (#) (optional). Run the make hosts command from
within the /etc/namedb directory by entering the following com‐
mands:
# cd /etc/namedb # make hosts
The make hosts command creates the /etc/namedb/hosts.db and
/etc/namedb/hosts.rev files.
Note
Any host names with a domain name different from that for which
you are creating the database are ignored. For example, if you
create the hosts database for the domain cities.dec.com and you
have a host name fizzle.nac.dec.com in the file, fiz‐
zle.nac.dec.com is ignored. Also, the first host name that the
make hosts command encounters that has either no domain name or
the default domain name becomes the primary name of the machine.
All other names are considered aliases, or CNAMES. For example,
for the following entry, the make hosts command considers host2
the primary name of the system and h2 an alias:
120.105.1.20 host2 h2
Create the /etc/namedb/named.ca file.
The /etc/namedb/named.ca file must read as follows:
; ; This file holds the information on root name servers
needed to ; initialize cache of Internet domain name
servers ; (e.g. reference this file in the "cache .
<file>" ; configuration file of BIND domain name servers).
; ; This file is made available by InterNIC registration ;
services under anonymous FTP as ; file
/domain/named.root ; on server FTP.RS.INTER‐
NIC.NET ; -OR- under Gopher at RS.INTERNIC.NET ;
under menu InterNIC Registration Services (NSI) ;
submenu InterNIC Registration Archives ; file
named.root ; ; last update: Aug 22, 1997 ;
related version of root zone: 1997082200 ; ; ; formerly
NS.INTERNIC.NET ; A.ROOT-SERVERS.NET. 3600000 A
198.41.0.4 ; ; formerly NS1.ISI.EDU ; B.ROOT-SERVERS.NET.
3600000 A 128.9.0.107 ; ; formerly C.PSI.NET ; C.ROOT-
SERVERS.NET. 3600000 A 192.33.4.12 ; ; formerly
TERP.UMD.EDU ; D.ROOT-SERVERS.NET. 3600000 A
128.8.10.90 ; ; formerly NS.NASA.GOV ; E.ROOT-SERVERS.NET.
3600000 A 192.203.230.10 ; ; formerly NS.ISC.ORG ;
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 ; ; for‐
merly NS.NIC.DDN.MIL ; G.ROOT-SERVERS.NET. 3600000 A
192.112.36.4 ; ; formerly AOS.ARL.ARMY.MIL ; H.ROOT-SERVERS.NET.
3600000 A 128.63.2.53 ; ; formerly NIC.NORDU.NET ;
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 ; ;
temporarily housed at NSI (InterNIC) ; J.ROOT-SERVERS.NET.
3600000 A 198.41.0.10 ; ; housed in LINX, operated by
RIPE NCC ; K.ROOT-SERVERS.NET. 3600000 A
193.0.14.129 ; ; temporarily housed at ISI (IANA) ; L.ROOT-
SERVERS.NET. 3600000 A 198.32.64.12 ; ; housed in
Japan, operated by WIDE ; M.ROOT-SERVERS.NET. 3600000
A 202.12.27.33 ; End of File Create the
/etc/namedb/named.local file.
The /etc/namedb/named.local file must contain the following
information and be formatted as shown in the following example.
Replace host1.cities.dec.com with your host and domain name.
; ; BIND data file for local loopback interface. ; @ IN SOA
host1.cities.dec.com. postmaster.host1.cities.dec.com. (
1 ; Serial
3600 ; Refresh
300 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS host1.cities.dec.com. 1 IN PTR
localhost. localhost. IN A 127.0.0.1 Create the
configuration (boot) file.
The following is a sample named.conf file for a master server.
Replace cities.dec.com with your domain name and 120.105 with
your network number:
// named.conf
options {
directory "/etc/named";
/*
* If there is a firewall between you and nameservers
* you want to talk to, you might need to uncomment the
* query-source directive below. Previous versions of
BIND
* always asked questions using port 53, but BIND 8.1
uses
* an unprivileged port by default.
*/
// query-source address * port 53; };
// zone "cities.dec.com" {
type master;
file "hosts.db"; };
zone "120.105.in-addr.arpa" {
type master;
file "hosts.rev"; };
// // zone "0.0.127.in-addr.arpa" {
type master;
file "named.local"; };
// // load the cache data last zone "named.ca" {
type hint;
file ; };
The database files are stored in the /etc/namedb directory by
default. You can store database files in any directory; however,
if you place them in a directory other than the default direc‐
tory, you should change the /etc/namedb in the configuration
(boot) file to the name of the directory you have chosen. If
necessary for IPv6 or Microsoft Windows network environments,
enable dynamic updates by adding the allow-update substatement
to the master zone statements (forward and reverse lookup), as
follows:
zone "cities.dec.com" {
type master;
file "hosts.db";
allow-update { any; }; };
zone "120.105.in-addr.arpa" {
type master;
file "hosts.rev";
allow-update { any; }; }; If necessary, configure
authentication of dynamic updates and zone transfers. See CON‐
FIGURING AUTHENTICATION for more information.
Note that authentication is not supported on IPv6 name servers.
Edit the /etc/rc.config.common file by using the /usr/sbin/rcmgr
utility. The syntax for the /usr/sbin/rcmgr command is as fol‐
lows: /usr/sbin/rcmgr set variable value
Enter the following commands to edit the /etc/rc.config.common
file and add the required information:
# /usr/sbin/rcmgr set BIND_CONF YES # /usr/sbin/rcmgr set
BIND_SERVERTYPE MASTER # /usr/sbin/rcmgr set BIND_SERVERARGS "-b
/etc/namedb/named.conf" Edit the /etc/hosts file with the fully
qualified BIND name of the host.
To run BIND, your system's host name must include the BIND
domain name. The fully qualified BIND host name consists of the
local host name plus the BIND domain name, separated by dots.
For example, the fully qualified BIND host name for a system
whose local host name is host1 and whose BIND domain name is
cities.dec.com is host1.cities.dec.com.
See the hosts(4) reference page for more information. Edit the
/etc/rc.config file by using the /usr/sbin/rcmgr utility. The
syntax for the /usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following command to edit the /etc/rc.config file and
add the required information:
# /usr/sbin/rcmgr set HOSTNAME host1.cities.dec.com
Replace host1.cities.dec.com with your system's fully qualified
BIND name. Set the new host name with the /sbin/hostname com‐
mand.
For example, to set the host name to host1.cities.dec.com for a
system that was previously known locally as host1, enter the
following command:
# /sbin/hostname host1.cities.dec.com Start the named daemon by
issuing the following command:
# /sbin/init.d/named start
SETTING UP A SLAVE SERVER
Use the following procedure to set up a BIND slave server: Create the
/etc/resolv.conf file. See step 1 in the Setting Up the Master Server
section. Create the /etc/namedb/named.ca file. See step 3 in the Set‐
ting Up the Master Server section. Create the /etc/namedb/named.local
file. See step 4 in the Setting Up the Master Server section. Create
the configuration (boot) file.
A configuration file for a slave server should have the format
shown in the following example. Replace cities.dec.com with
your domain name, 120.105 with your network number, and
120.105.4.5 with the IP address of your domain's BIND master
server:
// named.conf
options {
directory "/etc/named";
/*
* If there is a firewall between you and nameservers
* you want to talk to, you might need to uncomment the
* query-source directive below. Previous versions of
BIND
* always asked questions using port 53, but BIND 8.1
uses
* an unprivileged port by default.
*/
// query-source address * port 53; };
// zone "cities.dec.com" {
type slave;
file "hosts.db";
masters {
120.105.4.5;
}; };
zone "120.105.in-addr.arpa" {
type slave;
file "hosts.rev";
masters {
120.105.4.5;
}; };
// // zone "0.0.127.in-addr.arpa" {
type master;
file "named.local"; };
// // load the cache data last zone "named.ca" {
type hint;
file ; };
The following entry indicates that this host serves itself its
own local host information:
primary 0.0.127.in-addr.arpa named.local
The default directory in which the database files are stored is
/etc/namedb. You can store them in any directory; however, if
you place them in a directory other than the default directory
you should change the /etc/namedb at the top of the configura‐
tion (boot) file to the name of the directory you have chosen.
If necessary, configure authentication of zone transfers. See
CONFIGURING AUTHENTICATION for more information. Edit the
/etc/rc.config.common file by using the /usr/sbin/rcmgr utility.
The syntax for the /usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following commands to edit the /etc/rc.config.common
file and add the required information:
# /usr/sbin/rcmgr set BIND_CONF YES # /usr/sbin/rcmgr set
BIND_SERVERTYPE SLAVE # /usr/sbin/rcmgr set BIND_SERVERARGS "-b
/etc/namedb/named.conf" Edit the /etc/hosts file to add the
fully qualified BIND name of the host.
In order to run BIND, your system's host name must include the
BIND domain name. The fully qualified BIND host name consists
of the local host name plus the BIND domain name, separated by
dots. For example, the fully qualified BIND host name for a
system whose local host name is host2 and whose BIND domain name
is cities.dec.com is host2.cities.dec.com.
See the hosts(4) reference page for more information. Edit the
/etc/rc.config file by using the /usr/sbin/rcmgr utility. The
syntax for the /usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following command to edit the /etc/rc.config file and
add the required information:
# /usr/sbin/rcmgr set HOSTNAME host2.cities.dec.com
Replace host2.cities.dec.com with your system's fully qualified
BIND name. Set the new host name with the /sbin/hostname com‐
mand.
For example, to set the host name to host2.cities.dec.com for a
system that was previously known locally as host2, enter the
following command:
# /sbin/hostname host2.cities.dec.com Start the named daemon by
issuing the following command:
# /sbin/init.d/named start
SETTING UP A STUB SERVER
Use the following procedure to set up a BIND stub server: Create the
/etc/resolv.conf file. See step 1 in the Setting Up the Master Server
section. Create the /etc/namedb/named.ca file. See step 3 in the Set‐
ting Up the Master Server section. Create the /etc/namedb/named.local
file. See step 4 in the Setting Up the Master Server section. Create
the configuration (boot) file.
A configuration file for a stub server should have the format
shown in the following example. Replace cities.dec.com with
your domain name, 120.105 with your network number, and
120.105.4.5 with the IP address of your domain's BIND master
server:
// named.conf
options {
directory "/etc/named";
/*
* If there is a firewall between you and nameservers
* you want to talk to, you might need to uncomment the
* query-source directive below. Previous versions of
BIND
* always asked questions using port 53, but BIND 8.1
uses
* an unprivileged port by default.
*/
// query-source address * port 53; };
// zone "cities.dec.com" {
type stub;
file "hosts.db";
masters {
120.105.4.5;
}; };
zone "120.105.in-addr.arpa" {
type stub;
file "hosts.rev";
masters {
120.105.4.5;
}; };
// // zone "0.0.127.in-addr.arpa" {
type master;
file "named.local"; };
// // load the cache data last zone "named.ca" {
type hint;
file ; };
The following entry indicates that this host serves itself its
own local host information:
primary 0.0.127.in-addr.arpa named.local
The default directory in which the database files are stored is
/etc/namedb. You can store them in any directory; however, if
you place them in a directory other than the default directory
you should change the /etc/namedb at the top of the configura‐
tion (boot) file to the name of the directory you have chosen.
Edit the /etc/rc.config.common file by using the /usr/sbin/rcmgr
utility. The syntax for the /usr/sbin/rcmgr command is as fol‐
lows: /usr/sbin/rcmgr set variable value
Enter the following commands to edit the /etc/rc.config.common
file and add the required information: # /usr/sbin/rcmgr set
BIND_CONF YES # /usr/sbin/rcmgr set BIND_SERVERTYPE STUB #
/usr/sbin/rcmgr set BIND_SERVERARGS "-b /etc/namedb/named.conf"
Edit the /etc/hosts file to add the fully qualified BIND name of
the host.
In order to run BIND, your system's host name must include the
BIND domain name. The fully qualified BIND host name consists
of the local host name plus the BIND domain name, separated by
dots. For example, the fully qualified BIND host name for a
system whose local host name is host2 and whose BIND domain name
is cities.dec.com is host2.cities.dec.com.
See the hosts(4) reference page for more information. Edit the
/etc/rc.config file by using the /usr/sbin/rcmgr utility. The
syntax for the /usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following command to edit the /etc/rc.config file and
add the required information: # /usr/sbin/rcmgr set HOSTNAME
host2.cities.dec.com
Replace host2.cities.dec.com with your system's fully qualified
BIND name. Set the new host name with the /sbin/hostname com‐
mand.
For example, to set the host name to host2.cities.dec.com for a
system that was previously known locally as host2, enter the
following command: # /sbin/hostname host2.cities.dec.com Start
the named daemon by issuing the following command: #
/sbin/init.d/named start
SETTING UP A CACHING-ONLY SERVER
Use the following procedure to set up a BIND caching-only server: Cre‐
ate the /etc/resolv.conf file. See step 1 in the Setting Up the Master
Server section. Create the /etc/namedb/named.ca file. See step 3 in
the Setting Up the Master Server section. Create the
/etc/namedb/named.local file. See step 4 in the Setting Up the Master
Server section. Create the configuration (boot) file.
The following is a sample named.conf file for a caching-only
server. Replace information that is appropriate for a caching-
only server in your domain:
// named.conf
options {
directory "/etc/named";
/*
* If there is a firewall between you and nameservers
* you want to talk to, you might need to uncomment the
* query-source directive below. Previous versions of
BIND
* always asked questions using port 53, but BIND 8.1
uses
* an unprivileged port by default.
*/
// query-source address * port 53; };
// zone "0.0.127.in-addr.arpa" {
type master;
file "named.local"; };
// // load the cache data last zone "named.ca" {
type hint;
file ; };
The default directory in which the database files are stored is
/etc/namedb. You can store them in any directory; however, if
you place them in a directory other than the default directory
you should change the /etc/namedb entry at the top of the con‐
figuration (boot) file to the name of the directory you have
chosen. Edit the /etc/rc.config.common file by using the
/usr/sbin/rcmgr utility. The syntax for the /usr/sbin/rcmgr
command is as follows: /usr/sbin/rcmgr set variable value
Enter the following commands to edit the /etc/rc.config.common
file and add the required information:
# /usr/sbin/rcmgr set BIND_CONF YES # /usr/sbin/rcmgr set
BIND_SERVERTYPE CACHING # /usr/sbin/rcmgr set BIND_SERVERARGS
"-b /etc/namedb/named.conf" Edit the /etc/hosts file with the
fully qualified BIND name of the host.
In order to run BIND, your system's host name must include the
BIND domain name. The fully qualified BIND host name consists
of the local host name plus the BIND domain name, separated by
dots. For example, the fully qualified BIND host name for a
system whose local host name is host3 and whose BIND domain name
is cities.dec.com is host3.cities.dec.com.
See the hosts(4) reference page for more information. Edit the
/etc/rc.config file by using the /usr/sbin/rcmgr utility. The
syntax for the /usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following command to edit the /etc/rc.config file and
add the required information:
# /usr/sbin/rcmgr set HOSTNAME host3.cities.dec.com
Replace host3.cities.dec.com with your system's fully qualified
BIND name. Set the new host name with the /sbin/hostname com‐
mand.
For example, to set the host name to host3.cities.dec.com for a
system that was previously known locally as host3, enter the
following command:
# /sbin/hostname host3.cities.dec.com Start the named daemon by
issuing the following command:
# /sbin/init.d/named start
SETTING UP A FORWARD-ONLY SERVER
Use the following procedure to set up a BIND forward-only server: Cre‐
ate the /etc/resolv.conf file. See step 1 in the Setting Up the Master
Server section. Create the /etc/namedb/named.local file. See step 4
in the Setting Up the Master Server section. Create the configuration
(boot) file. The following is a sample named.conf file for a forward-
only server. Replace 120.105.4.5 with the IP address of the BIND mas‐
ter server in your domain:
// named.conf
options {
directory "/etc/named";
forward only;
forwarders {
120.105.4.5;
};
/*
* If there is a firewall between you and nameservers
* you want to talk to, you might need to uncomment the
* query-source directive below. Previous versions of
BIND
* always asked questions using port 53, but BIND 8.1
uses
* an unprivileged port by default.
*/
// query-source address * port 53; };
// // zone "0.0.127.in-addr.arpa" {
type master;
file "named.local"; };
The default directory in which the database files are stored is
/etc/namedb. You can store them in any directory; however, if
you place them in a directory other than the default directory
you should change the /etc/namedb entry at the top of the con‐
figuration (boot) file to the name of the directory you have
chosen. Edit the /etc/rc.config.common file by using the
/usr/sbin/rcmgr utility. The syntax for the /usr/sbin/rcmgr
command is as follows: /usr/sbin/rcmgr set variable value
Enter the following commands to edit the /etc/rc.config.common
file and add the required information:
# /usr/sbin/rcmgr set BIND_CONF YES # /usr/sbin/rcmgr set
BIND_SERVERTYPE FORWARDER # /usr/sbin/rcmgr set BIND_SERVERARGS
"-b /etc/namedb/named.conf" Edit the /etc/hosts file and add the
fully qualified BIND name of the host.
To run BIND, your system's host name must include the BIND
domain name. The fully qualified BIND host name consists of the
local host name plus the BIND domain name, separated by dots.
For example, the fully qualified BIND host name for a system
whose local host name is host4 and whose BIND domain name is
cities.dec.com is host4.cities.dec.com.
See the hosts(4) reference page for more information. Edit the
/etc/rc.config file by using the /usr/sbin/rcmgr utility. The
syntax for the /usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following command to edit the /etc/rc.config file and
add the required information:
# /usr/sbin/rcmgr set HOSTNAME host4.cities.dec.com
Replace host4.cities.dec.com with your system's fully qualified
BIND name. Set the new host name with the /sbin/hostname com‐
mand.
For example, to set the host name to host4.cities.dec.com for a
system that was previously known locally as host4, enter the
following command:
# /sbin/hostname host4.cities.dec.com Start the named daemon by
issuing the following command:
# /sbin/init.d/named start
SETTING UP A CLIENT
Use the following procedure to set up a BIND client: Create the
/etc/resolv.conf file.
The /etc/resolv.conf file for a client contains the domain name
and IP addresses of up to three servers for the domain. These
name servers are the systems that the local host can query to
resolve host information. Format the /etc/resolv.conf file as
follows, replacing your domain name for cities.dec.com and the
IP addresses of your name servers for 120.105.4.5, 120.105.4.13,
and 120.105.5.160:
; ; BIND data file ; domain cities.dec.com nameserver
120.105.4.5 nameserver 120.105.4.13 nameserver
120.105.5.160 Edit the /etc/rc.config.common file by using the
/usr/sbin/rcmgr utility. The syntax for the /usr/sbin/rcmgr
command is as follows: /usr/sbin/rcmgr set variable value
Enter the following commands to edit the /etc/rc.config.common
file and add the required information:
# /usr/sbin/rcmgr set BIND_CONF YES # /usr/sbin/rcmgr set
BIND_SERVERTYPE CLIENT Edit the /etc/rc.config file by using the
/usr/sbin/rcmgr utility. The syntax for the /usr/sbin/rcmgr
command is as follows: /usr/sbin/rcmgr set variable value
Enter the following command to edit the /etc/rc.config file and
add the required information:
# /usr/sbin/rcmgr set HOSTNAME host4.cities.dec.com
Replace host4.cities.dec.com with your system's fully qualified
BIND name. Set the new host name with the /sbin/hostname com‐
mand.
For example, to set the host name to host4.cities.dec.com for a
system that was previously known locally as host4, enter the
following command:
# /sbin/hostname host4.cities.dec.com
CONFIGURING AUTHENTICATION
The following sections describe how to configure authentication on DNS
servers for the following purposes: Secure dynamic updates -- Allow the
master server to authenticate database updates it receives from clients
Secure zone transfers -- Allow the master server to authenticate zone
transfer requests it receives from slave servers, and subsequently,
allow the slave servers to authenticate the zone transfers they receive
from the master server.
Authentication is useful only when the private key remains a secret
between the servers; therefore, it is prudent to change this key fre‐
quently and save the key file as specified in the following sections to
prevent the key from being compromised.
Configuring Secure Dynamic Updates
To configure a master server to authenticate dynamic updates it
receives from new DNS clients (Microsoft Windows systems), do the fol‐
lowing:
Note
If you plan to use the nd6hostd daemon to update IPv6 zones, do not
enable authentication for those zones. The nd6hostd daemon does not
support authentication.
Generate a private key using the dnskeygen command, as follows:
# dnskeygen -H size -h -c -n key-name
Valid key sizes are 512, 576, 640, 704, 768, 832, 896, 960, and
1024. Larger keys are more cumbersome, but they are more
secure.
You can supply any name for a key, but it is best to give the
keys canonical names so they are easy to distinguish. For exam‐
ple, if hosts from the xyz.corp.com zone send dynamic updates to
your master server, marlin.xyz.corp.com, you might want to name
your key xyznet-marlin_update.
The dnskeygen command produces two files: K<key-name><proto-
id><key-id>.key
K<key-name><proto-id><key-id>.private
Hereafter, these files are referred to as the and files.
For more information about generating keys, see dnskeygen(1).
Create a file, possibly named.keys, to contain the key configu‐
ration statement for the update. This file should be
read/writeable only by superuser to prevent the private key from
being compromised. For example:
# cd /etc/namedb # touch key-config-file # chmod 600 key-config-
file Incorporate the key information from the file into the key-
config-file by adding the following key statement:
key key-name {
algorithm hmac-md5;
secret "generated-key"; };
In the key statement, replace key-name with the name of the key
and generated-key with the entire private key as it appears in
the file. It is best to enter the key by opening the file in
another window, copying the necessary key text, and pasting the
text into the text editor window. There should be no line feeds
or spaces between the quotes that contain the key; if even one
character is entered incorrectly, authentication fails. Add the
following include statement to the top of the
/etc/namedb/named.conf file:
include "/etc/namedb/key-config-file";
Replace key-config-file with the name of the key configuration
file you created in steps 2 and 3.
When the named daemon starts and reads the DNS data file, it
calls the key-config-file and parses its contents. Enable
secure dynamic updates for the master zone by adding the allow-
update substatement to the master zone statements (for forward
and reverse lookups) in the named.conf file :
zone "cities.dec.com" {
type master;
file "hosts.db";
allow-update {
key key-name;
}; };
zone "120.105.in-addr.arpa" {
type master;
file "hosts.rev";
allow-update {
key key-name;
}; };
Replace key-name with the name of the file you created in steps
2 and 3.
Specifying a key in this statement ensures that updates are suc‐
cessful only if they are signed with the private key. Continue
setting up your master server. Otherwise, if you are enabling
authentication on a running server, restart the named daemon by
issuing the following command:
# /sbin/init.d/named restart
Once you have configured the master server to support secure dynamic
DNS updates from new hosts, you can distribute the private key as nec‐
essary to administrators who need to add these hosts to the network. It
is best to physically distribute the key on magnetic or optical media
as opposed to sending it over the network where it can be compromised.
You can format a floppy for this purpose. See mtools(1) for information
about formatting and reading Microsoft Windows-compatible floppy disks
on a Tru64 UNIX system. If the described tools are not available, you
need to install the OSFDOSTOOLS subset.
Note that when clients send updates to the master server, the named
daemon does not immediately update the master database files. It cre‐
ates temporary database.ixfr and database.log files where it logs the
changes until they can be incorporated into the database. However, the
daemon does become aware of the updates almost immediately in memory.
You can verify them with the nslookup command. See nslookup(8).
Configuring Secure Zone Transfers
To configure a master server and slave servers to use authentication
for zone transfers, do the following:
On the master server, perform steps 1-4 as specified in Configuring
Secure Dynamic Updates.
When creating a key name, choose a name that describes the zone
transfer. For example, if the master server, mar‐
lin.xyz.corp.com, is sending updates to the slave server, min‐
now.xyz.corp.com, for the xyz.corp.com zone, you might name the
key xyznet-marlin-minnow_transfer. On the master server, add
the allow-transfer substatement to the master zone statements
(for forward and reverse lookups) in the /etc/namedb/named.conf
file. include "/etc/namedb/key-file";
.
.
. zone "cities.dec.com" {
type master;
file "hosts.db";
allow-transfer {
key key-name; };
zone "120.105.in-addr.arpa" {
type master;
file "hosts.rev";
allow-transfer {
key key-name; };
Replace key-name with the name of the key as you specified it in
the key configuration file you created in steps 2 and 3 of Con‐
figuring Secure Dynamic Updates.
Adding this server statement ensures that the master servers
transfers the zone only if the request is signed with the pri‐
vate key. It also ensures that the master server signs the zone
transfer with the key before it sends the data to the slave
server. Transfer the key configuration file (key-config-file or
named.keys) over from the master server to the slave server. It
is best to physically transfer this file on magnetic or optical
media as opposed to sending it over the network where it can be
compromised.
You can format a floppy for this purpose. See mtools(1) for
information about formatting and reading Microsoft Windows-com‐
patible floppy disks on a Tru64 UNIX system. If the described
tools are not available, you need to install the OSFDOSTOOLS
subset.
On the slave server, ensure that the permissions are set for
read/writable only by superuser: # chmod 600 key-config-file On
the slave server, add an include statement to the named.conf
file to call the key-config-file. Also, insert the server state‐
ment after the include statement and before any zone statements:
include "/etc/namedb/key-config-file";
.
.
. server 120.105.4.5 {
keys {key-name}; };
Replace key-config-file with the name of the key configuration
file you copied over from the master server. Replace
120.105.4.5 with the IP address of your master server. Finally,
replace key-name with the name of the key you specifed in the
key-config-file.
Adding the server statement ensures that the slave server signs
requests for zone transfers from the master server with the pri‐
vate key. It also ensures that the slave server authenticates
signed zone transfers from the master server before it incorpo‐
rates them into its data files. Continue setting up your master
or slave servers. Otherwise, if you are enabling authentication
on running servers, restart the named daemon on each server by
issuing the following command: # /sbin/init.d/named restart
POST-SETUP PROCEDURES
After you configure BIND on your system, you must restart the sendmail
process and edit the /etc/svc.conf file.
Restarting the sendmail Process
To kill and restart the sendmail process, enter the following command:
# /sbin/init.d/sendmail restart
Editing the svc.conf File
The /etc/svc.conf file is the database service selection configuration
file that your system references to determine what distributed database
lookup services are running on your system, which databases are being
served by them, and in what order to query them. After configuring
BIND, you must edit the /etc/svc.conf file to tell your system that you
want BIND servers queried for host name and address information. For
information on editing the /etc/svc.conf file, see the svc.conf(4) and
svcsetup(8) reference pages and the Network Administration: Services
manual.
RELATED INFORMATION
Commands: bindconfig(8), dnskeygen(1), named(8), nslookup(8), svc‐
setup(8)
Files: named.conf(4), resolv.conf(4), svc.conf(4)
Networking: bind_intro(7)
Network Administration: Services
bind_manual_setup(7)
