Before using this key to sign a zone, we must create a pair of BIND 9 key files. Signing with the private key takes place inside the HSM. This provides less security than an HSM key, but since HSMs can be slow or cumbersome to use for security reasons, it may be more efficient to reserve HSM keys for use in the less frequent key-signing operation.
The zone-signing key can be rolled more frequently, if you wish, to compensate for a reduction in key security. Now you can sign the zone. Specifying the engine will generally not be necessary unless for some reason you wish to use a different OpenSSL engine. This causes dnssec-signzone to run as if it were compiled without the —with-pkcs11 option. This may be useful when testing a new provider library.
The location of the openssl. Be sure this is what you want to do before configuring the system in this way. There is no required format or schema.
Historically, DLZ drivers had to be statically linked with the named binary and were turned on via a configure option at compile time for example, configure --with-dlz-ldap.
In BIND 9. This conversion, and the lack of any internal caching, places significant limits on the query performance of DLZ modules.
Consequently, DLZ is not recommended for use on high-volume servers. However, it can be used in a hidden primary master configuration, with secondaries retrieving zone updates via AXFR. Note, however, that DLZ has no built-in support for DNS notify; secondary servers are not automatically informed of changes to the zones in the database. A DLZ database is configured with a dlz statement in named. This specifies a DLZ module to search when answering queries; the module is implemented in driver.
Multiple dlz statements can be specified; when answering a query, all DLZ modules with search set to yes are queried to see whether they contain an answer for the query name. The best available answer is returned to the client. The search option in the above example can be omitted, because yes is the default value. If search is set to no , this DLZ module is not searched for the best match when a query is received.
Instead, zones in this DLZ must be separately specified in a zone statement. The example sets up a single zone, whose name is passed to the module as an argument in the dlz statement:. The sample driver can retrieve information about the querying client and alter its response on the basis of this information.
Normally, this feature would be used to alter responses in some other fashion, e. A DynDB database is configured with a dyndb statement in named. The file driver. Multiple dyndb statements can be specified, to load different drivers or multiple instances of the same driver. Zone configuration is handled internally by the DynDB module. Configuration syntax differs depending on the driver. The example sets up two zones, whose names are passed to the module as arguments in the dyndb statement:.
When the zone is updated dynamically, the DynDB module determines whether the updated RR is an address i. Note that updates are not stored permanently; all updates are lost when the server is restarted. When the catalog zone is updated for example, to add or delete member zones, or change their configuration parameters , those changes are immediately put into effect.
Normally, if a zone is to be served by a secondary server, the named. A catalog zone is a way to ease this administrative burden: it is a DNS zone that lists member zones that should be served by secondary servers. When a secondary server receives an update to the catalog zone, it adds, removes, or reconfigures member zones based on the data received. To use a catalog zone, it must first be set up as a normal zone on both the primary and secondary servers that are configured to use it.
It must also be added to a catalog-zones list in the options or view statement in named. This is comparable to the way a policy zone is configured as a normal zone and also listed in a response-policy statement. When the secondary receives the update to the catalog zone, it detects the entry for the new member zone, creates an instance of that zone on the secondary server, and points that instance to the masters specified in the catalog zone data.
The newly created member zone is a normal secondary zone, so BIND immediately initiates a transfer of zone contents from the primary.
Once complete, the secondary starts serving the member zone. The secondary server, on processing the update, notices that the member zone has been removed, stops serving the zone, and removes it from its list of configured zones.
However, removing the member zone from the primary server must be done by editing the configuration file or running rndc delzone. Catalog zones are configured with a catalog-zones statement in the options or view section of named. This statement specifies that the zone catalog. This zone must be properly configured in the same view. In most configurations, it would be a secondary zone. Catalog zones are defined on a per-view basis. Configuring a non-empty catalog-zones statement in a view automatically turns on allow-new-zones for that view.
This means that rndc addzone and rndc delzone also work in any view that supports catalog zones. A record stating the version of the catalog zone format is also required. If the version number listed is not supported by the server, then a catalog zone may not be used by that server.
Note that this record must have the domain name version. The data stored in a catalog zone is indicated by the domain name label immediately before the catalog zone domain. Catalog zone options can be set either globally for the whole catalog zone or for a single member zone.
Global options override the settings in the configuration file, and member zone options override global options. A simple masters definition:. If multiple primaries are set, the order in which they are used is random. A masters with a TSIG key defined:. This option defines a primary server for the member zone with a TSIG key set. The TSIG key must be configured in the configuration file.
These options are the equivalents of allow-query and allow-transfer in a zone declaration in the named. The ACL is processed in order; if there is no match to any rule, the default policy is to deny access. A member zone is added by including a PTR resource record in the zones sub-domain of the catalog zone.
The record label is a SHA-1 hash of the member zone name in wire format. The target of the PTR record is the member zone name.
For example, to add the member zone domain. The hash is necessary to identify options for a specific member zone. The member zone-specific options are defined the same way as global options, but in the member zone subdomain:. Options defined for a specific zone override the global options defined in the catalog zone. These in turn override the global options defined in the catalog-zones statement in the configuration file.
Note that none of the global records for an option are inherited if any records are defined for that option for the specific zone. BIND 9 fully supports all currently defined forms of IPv6 name-to-address and address-to-name lookups. It also uses IPv6 addresses to make queries when running on an IPv6-capable system.
However, authoritative BIND 9 name servers still load zone files containing A6 records correctly, answer queries for A6 records, and accept zone transfer for a zone containing A6 records. Many applications in BIND 9 do not understand the binary label format at all anymore, and return an error if one is given. In particular, an authoritative BIND 9 name server will not load a zone file containing binary labels.
For example,. Use of IPv4-in-IPv6 mapped addresses is not recommended. When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and ip6. For example, the following would provide reverse name lookup for a host with address db Introduction 2.
Name Server Configuration 4. Advanced DNS Features 5. Notify 5. Dynamic Update 5. The Journal File 5. Split DNS 5. TSIG 5. Generating a Shared Key 5. Loading a New Key 5. Instructing the Server to Use a Key 5. Errors 5. TKEY 5. SIG 0 5. Generating Keys 5. Signing the Zone 5. Converting From Insecure to Secure 5. Fully Automatic Zone Signing 5. Private-type Records 5. Automatic Key Rollovers 5. Converting From Secure to Insecure 5.
Periodic Re-signing 5. Dynamic Trust Anchor Management 5. Validating Resolver 5. Authoritative Server 5. Community Bot 1. Craig Leres Craig Leres 1 1 silver badge 3 3 bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook.
Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Stack Gives Back Safety in numbers: crowdsourcing data on nefarious IP addresses. Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually. Related 3. Hot Network Questions. Question feed. Server Fault works best with JavaScript enabled.
Content Cleanup Required This article should be cleaned-up to follow the content standards in the Wiki Guide. More info I'm mentioning this to help anyone to avoid the unnecessary time trying to resolve their DNS, owing the the inconsistencies in this document, particularly if you're new to DNS configuration. One example is here Here it changes to box I believe the author was simply trying to show that additional computers would be listed, but failed to use a different address for box.
I modified the example file to give box an address of Computers that run DNS are called name servers. This guide is aimed at people looking to learn how to configure and maintain a DNS server, such as for a network caching name server or to serve DNS zones for a domain name.
No additional repository needs to be enabled for BIND9. Before we begin, you should be familiar with RootSudo. To install the server simply install the bind9 package. See InstallingSoftware for details on using package managers. A very useful package for testing and troubleshooting DNS issues is the dnsutils package.
Some of the most useful setups are: Caching Server In this configuration BIND9 will find the answer to name queries and remember the answer for the next query. This can be useful for a slow internet connection. By caching DNS queries, you will reduce bandwidth and more importantly latency. Primary Master Server BIND9 can be used to serve DNS records groups of records are referred to as zones for a registered domain name or an imaginary one but only if used on a restricted network.
Secondary Master Server A secondary master DNS server is used to complement a primary master DNS server by serving a copy of the zone s configured on the primary server. Secondary servers are recommended in larger setups. If you intend to serve a registered domain name they ensure that your DNS zone is still available even if your primary server is not online.
All that is required is simply combining the different configuration examples. These are effectively the same as Primary and Secondary DNS servers, but with a slight organizational difference.
0コメント