DNS and BIND Other resources from O’Reilly Related titles DNS and BIND Cookbook™ DNS on Windows Server 2003 oreilly.com oreilly.com is more than a complete catalog of O’Reilly books. You’llalsofindlinkstonews,events,articles,weblogs,sample chapters, and code examples. oreillynet.comistheessentialportalfordevelopersinterestedin openandemergingtechnologies,includingnewplatforms,pro- gramming languages, and operating systems. Conferences O’Reillybringsdiverseinnovatorstogethertonurturetheideas thatsparkrevolutionaryindustries.Wespecializeindocument- ing the latest tools and systems, translating the innovator’s knowledgeintousefulskillsforthoseinthetrenches.Visitcon- ferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier online refer- ence library for programmers and IT professionals. Conduct searchesacrossmorethan1,000books.Subscriberscanzeroin on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today for free. FIFTH EDITION DNS and BIND Cricket Liu and Paul Albitz Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo DNS and BIND, Fifth Edition by Cricket Liu and Paul Albitz Copyright © 2006, 2001, 1998, 1997, 1992 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 [email protected]. Editor: Mike Loukides Cover Designer: Edie Freedman Production Editor: Matt Hutchinson Interior Designer: David Futato Copyeditor: Mary Anne Weeks Mayo Cover Illustrator: Karen Montgomery Proofreader: Matt Hutchinson Illustrators: RobertRomanoandJessamynRead Indexer: Ellen Troutman-Zaig Printing History: October 1992: First Edition. January 1997: Second Edition. September 1998: Third Edition. April 2001: Fourth Edition. May 2006: Fifth Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’ReillyMedia,Inc.DNSandBIND,theimageofgrasshoppers,andrelatedtradedressaretrademarks of O’Reilly Media, Inc. Manyofthedesignationsusedbymanufacturersandsellerstodistinguishtheirproductsareclaimedas trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. This book uses RepKover™, a durable and flexible lay-flat binding. ISBN: 978-0-596-10057-5 [M] [7/09] Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi 1. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 A (Very) Brief History of the Internet 1 On the Internet and Internets 2 The Domain Name System, in a Nutshell 4 The History of BIND 9 Must I Use DNS? 9 2. How Does DNS Work?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 The Domain Namespace 11 The Internet Domain Namespace 17 Delegation 21 Nameservers and Zones 22 Resolvers 26 Resolution 27 Caching 34 3. Where Do I Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Getting BIND 37 Choosing a Domain Name 41 4. Setting Up BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Our Zone 53 Setting Up Zone Data 54 Setting Up a BIND Configuration File 65 Abbreviations 68 Hostname Checking 71 v Tools 73 Running a Primary Nameserver 74 Running a Slave Nameserver 81 Adding More Zones 88 What’s Next? 88 5. DNS and Electronic Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 MX Records 90 Movie.edu’s Mail Server 92 What’s a Mail Exchanger, Again? 92 The MX Algorithm 94 DNS and Email Authentication 96 6. Configuring Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 The Resolver 100 Resolver Configuration 101 Sample Resolver Configurations 112 Minimizing Pain and Suffering 114 Additional Configuration Files 119 The Windows XP Resolver 120 7. Maintaining BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Controlling the Nameserver 127 Updating Zone Datafiles 136 Organizing Your Files 143 Changing System File Locations 147 Logging 148 Keeping Everything Running Smoothly 158 8. Growing Your Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 How Many Nameservers? 177 Adding More Nameservers 185 Registering Nameservers 189 Changing TTLs 192 Planning for Disasters 195 Coping with Disaster 198 vi | Table of Contents 9. Parenting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 When to Become a Parent 202 How Many Children? 202 What to Name Your Children 203 How to Become a Parent: Creating Subdomains 204 Subdomains of in-addr.arpa Domains 214 Good Parenting 220 Managing the Transition to Subdomains 223 The Life of a Parent 225 10. Advanced Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Address Match Lists and ACLs 226 DNS Dynamic Update 228 DNS NOTIFY (Zone Change Notification) 235 Incremental Zone Transfer (IXFR) 240 Forwarding 244 Views 247 Round-Robin Load Distribution 250 Nameserver Address Sorting 253 Preferring Nameservers on Certain Networks 255 A Nonrecursive Nameserver 256 Avoiding a Bogus Nameserver 257 System Tuning 258 Compatibility 267 The ABCs of IPv6 Addressing 268 Addresses and Ports 270 11. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 TSIG 283 Securing Your Nameserver 287 DNS and Internet Firewalls 300 The DNS Security Extensions 322 12. nslookup and dig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 Is nslookup a Good Tool? 349 Interactive Versus Noninteractive 351 Option Settings 352 Avoiding the Search List 355 Common Tasks 355 Table of Contents | vii Less Common Tasks 358 Troubleshooting nslookup Problems 366 Best of the Net 370 Using dig 371 13. Reading BIND Debugging Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Debugging Levels 376 Turning On Debugging 379 Reading Debugging Output 380 The Resolver Search Algorithm and Negative Caching (BIND 8) 393 The Resolver Search Algorithm and Negative Caching (BIND 9) 394 Tools 395 14. Troubleshooting DNS and BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Is NIS Really Your Problem? 396 Troubleshooting Tools and Techniques 397 Potential Problem List 409 Transition Problems 426 Interoperability and Version Problems 427 TSIG Errors 431 Problem Symptoms 432 15. Programming with the Resolver and Nameserver Library Routines . . . . . 438 Shell Script Programming with nslookup 438 C Programming with the Resolver Library Routines 445 Perl Programming with Net::DNS 470 16. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 External, Authoritative DNS Infrastructure 474 Forwarder Infrastructure 478 Internal DNS Infrastructure 480 Operations 481 Keeping Up with DNS and BIND 482 viii | Table of Contents