summaryrefslogtreecommitdiffstats
path: root/contrib/bind/doc/misc
diff options
context:
space:
mode:
authorpeter <peter@FreeBSD.org>1996-08-29 19:20:22 +0000
committerpeter <peter@FreeBSD.org>1996-08-29 19:20:22 +0000
commit2d3cf9fcaf1ca2528c5fe3ba683d1f6c1268dc41 (patch)
tree8652a0312f865a787c6c1c3003491b4e62ce0ea7 /contrib/bind/doc/misc
downloadFreeBSD-src-2d3cf9fcaf1ca2528c5fe3ba683d1f6c1268dc41.zip
FreeBSD-src-2d3cf9fcaf1ca2528c5fe3ba683d1f6c1268dc41.tar.gz
Take #2. Import bind-4.9.4-P1 into the intended directory!
This has most of the non-essential stuff removed (ie: what is not built) bmake glue to follow.
Diffstat (limited to 'contrib/bind/doc/misc')
-rw-r--r--contrib/bind/doc/misc/FAQ.1of21339
-rw-r--r--contrib/bind/doc/misc/FAQ.2of21131
-rw-r--r--contrib/bind/doc/misc/IPv672
-rw-r--r--contrib/bind/doc/misc/dns-setup1081
-rw-r--r--contrib/bind/doc/misc/style.txt172
5 files changed, 3795 insertions, 0 deletions
diff --git a/contrib/bind/doc/misc/FAQ.1of2 b/contrib/bind/doc/misc/FAQ.1of2
new file mode 100644
index 0000000..ab55bea
--- /dev/null
+++ b/contrib/bind/doc/misc/FAQ.1of2
@@ -0,0 +1,1339 @@
+Newsgroups: comp.protocols.tcp-ip.domains,comp.answers,news.answers
+Path: vixie!news1.digital.com!uunet!in1.uu.net!usc!rutgers!njitgw.njit.edu!hertz.njit.edu!cdp2582
+From: cdp@njit.edu (Chris Peckham)
+Subject: comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ) (Part 1 of 2)
+Message-ID: <cptd-faq-1-810621452@njit.edu>
+Followup-To: comp.protocols.tcp-ip.domains
+Originator: cdp2582@hertz.njit.edu
+Keywords: BIND,DOMAIN,DNS
+Sender: news@njit.edu
+Supersedes: <cptd-faq-1-807632375@njit.edu>
+Nntp-Posting-Host: hertz.njit.edu
+X-Posting-Frequency: posted on the 1st of each month
+Reply-To: domain-faq@njit.edu (comp.protocols.tcp-ip.domains FAQ comments)
+Organization: NJIT.EDU - New Jersey Institute of Technology, Newark, NJ, USA
+Date: Sat, 9 Sep 1995 04:37:47 GMT
+Approved: news-answers-request@MIT.EDU
+Expires: Sat 14 Oct 95 00:37:32 EDT
+Lines: 1319
+Xref: vixie comp.protocols.tcp-ip.domains:6018 comp.answers:13881 news.answers:49918
+
+Posted-By: auto-faq 3.1.1.2
+Archive-name: internet/tcp-ip/domains-faq/part1
+Revision: 1.6 1995/05/12 18:49:48
+
+
+This FAQ is edited and maintained by Chris Peckham, <cdp@njit.edu>.
+The latest version may always be found for anonymous ftp from
+
+ ftp://rtfm.mit.edu/pub/usenet/news.answers/internet/tcp-ip/domains-faq
+ ftp://ftp.njit.edu/pub/dns/Comp.protocols.tcp-ip.domains.FAQ
+
+If you can contribute any answers for items in the TODO section, please do
+so by sending e-mail to domain-faq@njit.edu ! If you know of any items that
+are not included and you feel that they should be, send the relevant
+information to domain-faq@njit.edu.
+
+
+------------------------------
+
+Date: Fri May 12 14:41:47 EDT 1995
+Subject: Table of Contents
+
+Table of Contents
+=================
+Part 1
+------
+ 0. TO DO
+ 1. INTRODUCTION / MISCELLANEOUS
+ 1.1 What is this newsgroup ?
+ 1.2 More information
+ 1.3 What is BIND and where is the latest version of BIND ?
+ 1.4 How can I find the route between systems ?
+ 1.5 Finding the hostname if you have the tcp-ip address
+ 1.6 How to register a domain name
+ 1.7 Change of Domain name
+ 1.8 How memory and CPU does DNS use ?
+ 1.9 Other things to consider when planning your servers
+ 1.10 Proper way to get NS and reverse IP records into DNS
+ 1.11 How to get my address assign from NIC?
+ 1.12 Is there a block of private IP addresses I can use?
+ 1.13 Cache failed lookups
+ 1.14 What does an NS record really do ?
+ 1.15 DNS ports
+ 1.16 Obtaining the latest cache file
+ 2. UTILITIES
+ 2.1 Utilities to administer DNS zone files
+ 2.2 DIG - Domain Internet Groper
+ 2.3 DNS packet analyzer
+ 2.4 host
+ 2.5 Programming with DNS
+ 2.6 A source of information relating to DNS
+ 3. DEFINITIONS
+ 3.1 TCP/IP Host Naming Conventions
+ 3.2 Slaves and servers with forwarders
+ 3.3 When is a server authoritative?
+ 3.4 Underscore in host-/domain names
+ 3.5 Lame delegation
+ 3.6 What does opt-class field do?
+ 3.7 Top level domains
+ 3.8 Classes of networks
+ 3.9 What is CIDR ?
+ 3.10 What is the rule for glue ?
+
+Part 2
+------
+ 4. CONFIGURATION
+ 4.1 Changing a Secondary server to a Primary
+ 4.2 How do I subnet a Class B Address ?
+ 4.3 Subnetted domain name service
+ 4.4 Recommended format/style of DNS files
+ 4.5 DNS on a system not connected to the Internet
+ 4.6 Multiple Domain configuration
+ 4.7 wildcard MX records
+ 4.8 How to identify a wildcard MX record
+ 4.9 Why are fully qualified domain names recommended ?
+ 4.10 Distributing load using named
+ 4.11 Order of returned records
+ 4.12 resolv.conf
+ 4.13 Delegating authority
+ 4.14 DNS instead of NIS on a Sun OS 4.1.x system
+ 5. PROBLEMS
+ 5.1 No address for root server
+ 5.2 Error - No Root Nameservers for Class XX
+ 5.3 Bind 4.9.x and MX querying?
+ 5.4 Some root nameservers don't know localhost
+ 5.5 MX records and CNAMES and separate A records for MX targets
+ 5.6 NS is a CNAME
+ 5.7 Nameserver forgets own A record
+ 5.8 General problems (core dumps !)
+ 5.9 malloc and DECstations
+ 6. ACKNOWLEDGEMENTS
+
+------------------------------
+
+Date: Wed May 3 12:55:13 EDT 1995
+Subject: Q0 - TO DO list
+
+
+* How to do an initial installation
+* How to change service providers (what happens)
+* Explain the difference between BIND (an implementation) and DNS (spec)
+* Expand the slave/forward section of Q 3.2
+* Add a definition of a "private domain" in discussion (or cut it out)
+* mention mail-to-news gateways for newsgroup, mailing lists, anonymous
+ ftp, etc in what is newsgroup section
+* The evils of wildcard MX records
+
+
+
+-------------------------------
+
+Date: Thu Dec 1 11:08:28 EST 1994
+Subject: Q1.1 - What is this newsgroup ?
+
+comp.protocols.tcp-ip.domains is the usenet newsgroup for discussion
+on issues relating to the Domain Name System (DNS).
+
+This newsgroup is not for issues directly relating to IP routing and
+addressing. Issues of that nature should be directed towards
+comp.protocols.tcp-ip.
+
+
+-------------------------------
+
+
+Date: Fri May 12 13:54:01 EDT 1995
+Subject: Q1.2 - More information
+
+ You can find more information concerning DNS in the following places:
+
+ * The BOG (BIND Operations Guide) - in the BIND distribution
+ * The FAQ included with bind4.9.3 doc/misc/FAQ
+ * DNS and BIND by Albitz and Liu (an O'Reilly & Associates Nutshell
+ handbook)
+ * A number of RFCs (920, 974, 1032, 1034, 1101, 1123, 1178, 1183, 1348,
+ 1535, 1536, 1537, 1591, 1706, 1712, 1713)
+ * The DNS Resource Directory (DNSRD)
+ http://www.dns.net/dnsrd
+ * If you are having troubles relating to sendmail and DNS, you may wish to
+ refer to the USEnet newsgroup comp.mail.sendmail and/or the FAQ for that
+ newsgroup
+ ftp://rtfm.mit.edu/pub/usenet/news.answers/mail/sendmail-faq
+ * Information concerning some frequently asked questions relating to
+ the Internet (i.e., what is the InterNIC, what is an RFC, what is the
+ IETF, etc) may be found for anonymous ftp from
+ ftp://ds.internic.net/fyi/fyi4.txt
+ A version may also be obtained with the URL
+ gopher://ds.internic.net/00/fyi/fyi4.txt
+
+
+-------------------------------
+
+Date: Fri Aug 4 10:18:58 EDT 1995
+Subject: Q1.3 - What is BIND and where is the latest version of BIND ?
+
+Q: What is BIND ?
+
+A: From the BOG Introduction -
+
+ The Berkeley Internet Name Domain (BIND) implements
+ an Internet name server for the BSD operating system.
+ The BIND consists of a server (or ``daemon'') and a
+ resolver library. A name server is a network service
+ that enables clients to name resources or objects and
+ share this information with other objects in the network.
+ This in effect is a distributed data base system for
+ objects in a computer network. BIND is fully integrated
+ into BSD (4.3 and later releases) network programs for
+ use in storing and retrieving host names and address.
+ The system administrator can configure the system to use
+ BIND as a replacement to the older host table lookup of
+ information in the network hosts file /etc/hosts. The
+ default configuration for BSD uses BIND.
+
+Q: Where is the latest non-beta version of BIND ?
+
+A: The latest non-beta version of BIND is version 4.9.2. This can be
+ found for anonymous ftp from
+
+ ftp://gatekeeper.dec.com/pub/misc/vixie/4.9.2-940221.tar.gz
+
+Q: Where is the latest version of 4.9.3 located ?
+
+A: You can reference this URL:
+
+ http://www.isc.org/isc/
+
+ At this time, the latest version of 4.9.3 may be found for anonymous ftp
+ from
+
+ ftp://ftp.vix.com/pub/bind/testing/bind-4.9.3-BETA24.tar.gz
+
+ You will need GNU zip, Larry Wall's patch program (if there are any
+ patch files), and a C compiler to get BIND running from the above
+ mentioned source.
+
+ GNU zip is available for anonymous ftp from
+
+ ftp://prep.ai.mit.edu/pub/gnu/gzip-1.2.4.tar
+
+ patch is available for anonymous ftp from
+
+ ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz
+
+------------------------------
+
+Date: Mon Jan 2 13:27:27 EST 1995
+Subject: Q1.4 - How can I find the route between systems
+
+Q: How can I find the path taken by packets between two systems/domains ?
+
+A: Get the source of the 'traceroute' command, compile it and install
+ it on your system.
+
+ One version of this program with additional functionality may be found
+ for anonymous ftp from
+
+ ftp://ftp.nikhef.nl/pub/network/traceroute.tar.Z
+
+ This package is mirrored at
+
+ ftp://ftp.njit.edu/pub/dns/nikhef/traceroute.tar.Z
+
+ Another version may be found for anonymous ftp from
+
+ ftp://ftp.psc.edu/pub/net_tools/traceroute.tar
+
+
+------------------------------
+
+Date: Thu Dec 1 09:55:24 EST 1994
+Subject: Q1.5 - Finding the hostname if you have the tcp-ip address
+
+Q: Can someone tell me how can I find the name of the domain if I know the
+ tcp-ip address of the domain? Is there some kind of service for this?
+
+A: For an address a.b.c.d you can always do:
+
+% nslookup
+> set q=ptr
+> d.c.b.a.in-addr.arpa.
+
+ Most newer version of nslookup (since 4.8.3) will recognize an address,
+ so you can just say:
+
+% nslookup a.b.c.d
+
+ DiG will work like this also:
+
+$ dig -x a.b.c.d
+
+ Host from the contrib/host from the bind distribution may also be used.
+
+-------------------------------
+
+Date: Fri Apr 28 13:16:32 EDT 1995
+Subject: Q1.6 - How to register a domain name
+
+Q: I would like to register a domain. How do I do this ? Can a name be
+ reserved, or must we already have an IP address and be hooked up to the
+ Internet before obtaining a domain name?
+
+A: You can talk to your Internet Service Provider (ISP). They can submit
+ the registration for you. If you are not going to be directly
+ connected, they should be able to offer MX records for your domain
+ for mail delivery (so that mail sent to the new domain will be sent
+ to your "standard" account). In the case where the registration is
+ done by the organization itself, it still makes the whole process
+ much easier if the ISP is approached for secondary servers _before_
+ the InterNIC is approached for registration.
+
+ For information about making the registration yourself, look to the
+ InterNIC !
+
+ ftp://internic.net/templates/
+ gopher://rs.internic.net/
+ http://www.internic.net/infoguide.html
+ http://www.ripe.net
+
+ You will need at least two domain name servers when you register your
+ domain. Many ISP's are willing to provide primary and/or secondary name
+ service for their customers.
+
+ Many times, registration of a domain name can be initiated by sending
+ e-mail to the zone contact. You can obtain the contact in the
+ SOA record for the country, or in a whois server:
+
+ $ nslookup -type=SOA fr.
+ origin = ns1.nic.fr
+ mail addr = nic.nic.fr
+ ...
+
+ The mail address to contact in this case is 'nic@nic.fr' (you must
+ substitute an '@' for the first dot in the mail addr field).
+
+ An alternate method to obtain the e-mail address of the national NIC
+ is the 'whois' server at InterNIC.
+
+ You may be requested to make your request to another email address or
+ using a certain information template/application.
+
+
+-------------------------------
+
+Date: Sun Nov 27 23:32:41 EST 1994
+Subject: Q1.7 - Change of Domain name
+
+Q: We are preparing for a change of our domain name:
+ abc.foobar.com -> foobar.net
+
+ What are the tricks and caveats we should be aware of ?
+
+A: The forward zones are easy and there are a number of ways to do it.
+ One way is the following:
+
+ Have a single db file for the 2 domains, and have a single machine
+ be the primary server for both abc.foobar.com and foobar.net.
+
+ To resolve the host foo in both domains, use a single zone file which
+ merely uses this for the host:
+
+foo IN A 1.2.3.4
+
+ Use a "@" wherever the domain would be used ie for the SOA:
+
+@ IN SOA (...
+
+ Then use this pair of lines in your named.boot:
+
+primary abc.foobar.com db.foobar
+primary foobar.net db.foobar
+
+ The reverse zones should either contain PTRs to both names,
+ or to whichever name you believe to be canonical currently.
+
+-------------------------------
+
+Date: Fri Apr 28 13:52:20 EDT 1995
+Subject: Q1.8 - How memory and CPU does DNS use ?
+
+Q: How much memory and CPU does DNS use ?
+
+A: It can use quite a bit ! The main thing that BIND needs is memory.
+ It uses very little CPU or network bandwidth. The main
+ considerations to keep in mind when planning are:
+
+ 1) How many zones do you have and how large are they ?
+ 2) How many clients do you expect to serve and how active are they ?
+
+ As an example, here is a snapshot of memory usage from CSIRO Division
+ of Mathematics and Statistics, Australia
+
+ Named takes several days to stabalize its memory usage.
+
+ Our main server stabalises at ~10Mb. It takes about 3 days to
+ reach this size from 6 M at startup. This is under Sun OS 4.1.3U1.
+
+ As another example, here is the configuration of ns.uu.net (from late
+ 1994):
+
+ ns.uu.net only does nameservice. It is running a version of BIND
+ 4.9.3 on a Sun Classic with 96 MB of RAM, 220 MB of swap (remember
+ that Sun OS will reserve swap for each fork, even if it is not needed)
+ running Sun OS 4.1.3_U1.
+
+ Joseph Malcolm, of Alternet, states that named generally hovers at
+ 5-10% of the CPU, except after a reload, when it eats it all. He
+ also states that if you are interested in the network connectivity
+ around the system (ns.uu.net is located off of Falls-Church4), a
+ PostScript map is available for anonymous ftp from
+
+ ftp://ftp.uu.net/uunet-info/alternet.map.ps
+
+
+-------------------------------
+
+Date: Mon Jan 2 14:24:51 EST 1995
+Subject: Q1.9 - Other things to consider when planning your servers
+
+ When making the plans to set up your servers, you may want to also
+ consider the following issues:
+
+ A) Server O/S limitations/capacities (which tend to be widely
+ divergent from vendor to vendor)
+ B) Client resolver behavior (even more widely divergent)
+ C) Expected query response time
+ D) Redundancy
+ E) Desired speed of change propagation
+ F) Network bandwidth availability
+ G) Number of zones/subdomain-levels desired
+ H) Richness of data stored (redundant MX records? HINFO records?)
+ I) Ease of administration desired
+ J) Network topology (impacts reverse-zone volume)
+
+ Assuming a best-possible case for the factors above, particularly (A), (B),
+ (C), (F), (G) & (H), it would be possible to run a 1000-node domain
+ using a single lowly 25 or 40 MHz 386 PC with a fairly modest amount of RAM
+ by today's standards, e.g. 4 or 8 Meg. However, this configuration would
+ be slow, unreliable, and would provide no functionality beyond your basic
+ address-to-name and name-to-address mappings.
+
+ Beyond that baseline case, depending on what factors listed above,
+ you may want look at other strategies, such splitting up the DNS
+ traffic among several machines strategically located, possibly larger ones,
+ and/or subdividing your domain itself. There are many options, tradeoffs,
+ and DNS architectural paradigms from which to choose.
+
+
+------------------------------
+
+Date: Mon Jan 2 13:03:53 EST 1995
+Subject: Q1.10 - Proper way to get NS and reverse IP records into DNS
+
+
+Q: Reverse domain registration is separate from forward domain registration.
+ How do I get it updated ?
+
+A: Blocks of network addresses have been delegated by the InterNIC. Check
+ if your network a.b.c.0 is in such a block by using nslookup:
+
+ nslookup -type=soa c.b.a.in-addr.arpa.
+ nslookup -type=soa b.a.in-addr.arpa.
+ nslookup -type=soa a.in-addr.arpa.
+
+ One of the above should give you the information you are looking for
+ (the others will return with an error something like `*** No start of
+ authority (SOA) records available for ...')
+ This will give you the email address of the person to whom you should
+ address your change request.
+
+ If none of these works, your network probably has not been delegated
+ by the InterNIC and you need to contact them directly.
+
+ CIDR has meant that the registration is delegated, but registration
+ of in-addr.arpa has always been separate from forward zones - and
+ for good reason - in that the forward and reverse zones may have
+ different policies, contents etc, may be served by a different set
+ of nameservers, and exist at different times (usually only at point
+ of creation). There isn't a one-to-one mapping between the two, so
+ merging the registration would probably cause more problems than
+ people forgetting/not-knowing that they had to register in-addr.arpa
+ zones separately. For example, there are organizations that have
+ hundreds of networks and two or more domains, with a sprinkling of
+ machines from each network in each of the domains.
+
+
+-------------------------------
+
+Date: Mon Jan 2 13:08:38 EST 1995
+Subject: Q1.11 - How to get my address assign from NIC ?
+
+
+Q: Can anyone tell me how can I get the address from NIC? How many subnets
+ will NIC give to me?
+
+A: You should probably ask your Internet provider to give you an address.
+ These days, addresses are being distributed through the providers,
+ so that they can assign adjacent blocks of addresses to sites that
+ go through the same provider, to permit more efficient routing on
+ the backbones.
+
+ Unless you have thousands of hosts, you probably won't be able to get a
+ class B these days. Instead, you can get a series of class C networks.
+ Large requests will be queried, so be ready to provide a network plan if
+ you ask for more than 16 class C networks.
+
+ If you can't do this through your Internet provider, you can look for a
+ subnet registration form on rs.internic.net. See the answer in this FAQ
+ to the question "How to register a domain name" for a URL to these
+ forms.
+
+-------------------------------
+
+Date: Mon Jan 2 13:12:01 EST 1995
+Subject: Q1.12 -Is there a block of private IP addresses I can use?
+
+
+Q: Is there a block of private IP addresses I can use?
+
+A: This answer may be found in the FAQ for the newsgroup comp.dcom.sys.cisco
+ available for anonymous ftp from
+
+ ftp://rtfm.mit.edu/pub/usenet/comp.dcom.sys.cisco
+
+ There is a block of private IP addresses that you can use. However
+ whether you wish to do so is an issue of some debate.
+
+ There are two RFCs which discuss this issue, and present opposing
+ views:
+
+1597 Address Allocation for Private Internets. Y. Rekhter, B.
+ Moskowitz, D. Karrenberg & G. de Groot. March 1994. (Format:
+ TXT=17430 bytes)
+
+1627 Network 10 Considered Harmful (Some Practices Shouldn't be
+ Codified). E. Lear, E. Fair, D. Crocker & T. Kessler. June 1994.
+ (Format: TXT=18823 bytes)
+
+ Neither one of these RFCs is anything more than a set of informational
+ guidelines; they are *not* words to live by (remember that RFC stands
+ for Request For Comments). If you're seriously considering using
+ private IP addresses, please read them both.
+
+ In any event, RFC 1597 documents the allocation of the following
+ addresses for use by ``private internets'':
+
+ 10.0.0.0 - 10.255.255.255
+ 172.16.0.0 - 172.31.255.255
+ 192.168.0.0 - 192.168.255.255
+
+ Most importantly, it is vital that nothing using these addresses
+ should ever connect to the global Internet, or have plans to do so.
+ Please read the above RFCs before considering implementing such
+ a policy.
+
+
+-------------------------------
+
+Date: Mon Jan 2 13:55:50 EST 1995
+Subject: Q1.13 - Cache failed lookups
+
+Q: Does BIND cache negative answers (failed DNS lookups) ?
+
+A: Yes, BIND 4.9.3 will cache negative answers.
+
+
+-------------------------------
+
+Date: Fri Feb 10 15:35:07 EST 1995
+Subject: Q1.14 - What does an NS record really do ?
+
+Q: What does a NS record really do ?
+
+A: The NS records in your zone data file pointing to the zone's name
+ servers (as opposed to the servers of delegated subdomains) don't do
+ much. They're essentially unused, though they are returned in the
+ authority section of reply packets from your name servers.
+
+-------------------------------
+
+Date: Fri Feb 10 15:40:10 EST 1995
+Subject: Q1.15 - DNS ports
+
+Q: Does anyone out there have any information/experience on exactly which
+ TCP/UDP ports DNS uses to send and receive queries ?
+
+A: Use the following chart:
+
+ Prot Src Dst Use
+ udp 53 53 Queries between servers (eg, recursive queries)
+ Replies to above
+ tcp 53 53 Queries with long replies between servers, zone
+ transfers Replies to above
+ udp >1023 53 Client queries (sendmail, nslookup, etc ...)
+ udp 53 >1023 Replies to above
+ tcp >1023 53 Client queries with long replies
+ tcp 53 >1023 Replies to above
+
+ Note: >1023 is for non-priv ports on Un*x clients. On other client
+ types, the limit may be more or less.
+
+ Another point to keep in mind when designing filters for DNS is that a
+ DNS server uses port 53 both as the source and destination for it's
+ queries. So, a client queries an initial server from an unreserved
+ port number to UDP port 53. If the server needs to query another
+ server to get the required info, it sends a UDP query to that server
+ with both source and destination ports set to 53. The response is then
+ sent with the same src=53 dest=53 to the first server which then
+ responds to the original client from port 53 to the original source
+ port number.
+
+ The point of all this is that putting in filters to only allow UDP
+ between a high port and port 53 will not work correctly, you must also
+ allow the port 53 to port 53 UDP to get through.
+
+ Also, ALL versions of BIND use TCP for queries in some cases. The
+ original query is tried using UDP. If the response is longer than
+ the allocated buffer, the resolver will retry the query using a TCP
+ connection. If you block access to TCP port 53 as suggested above,
+ you may find that some things don't work.
+
+ Newer version of BIND allow you to configure a list of IP addresses
+ from which to allow zone transfers. This mechanism can be used to
+ prevent people from outside downloading your entire namespace.
+
+
+-------------------------------
+
+
+Date: Fri Apr 28 14:19:10 EDT 1995
+Subject: Q1.16 - Obtaining the latest cache file
+
+Q: What is the cache file and where can I obtain the latest version ?
+
+A: From the "Name Server Operations Guide"
+
+ 6.3. Cache Initialization
+
+ 6.3.1. root.cache
+
+ The name server needs to know the servers that
+ are the authoritative name servers for the root
+ domain of the network. To do this we have to prime
+ the name server's cache with the addresses of these
+ higher authorities. The location of this file is
+ specified in the boot file. ...
+
+ A copy of the comments in the file available from the InterNIC follow:
+
+ ; This file holds the information on root name servers needed to
+ ; initialize cache of Internet domain name servers
+ ; (e.g. reference this file in the "cache . <file>"
+ ; configuration file of BIND domain name servers).
+ ;
+ ; This file is made available by InterNIC registration services
+ ; under anonymous FTP as
+ ; file /domain/named.root
+ ; on server FTP.RS.INTERNIC.NET
+ ; -OR- under Gopher at RS.INTERNIC.NET
+ ; under menu InterNIC Registration Services (NSI)
+ ; submenu InterNIC Registration Archives
+ ; file named.root
+ ;
+ ; last update: Oct 5, 1994
+ ; related version of root zone: 1994100500
+ ;
+
+ If you have a version of dig running, you may obtain the information with
+ the command
+
+ dig @ns.internic.net . ns
+
+
+-------------------------------
+
+
+Date: Mon Jan 2 13:13:49 EST 1995
+Subject: Q2.1 - Utilities to administer DNS zone files
+
+Q: I am wondering if there are utilities available to ease the
+ administration of the zone files in the DNS.
+
+A: There are a few. Two common ones are h2n and makezones. Both are perl
+ scripts. h2n is used to convert host tables into zone data files. It
+ is available for anonymous ftp from
+
+ ftp://ftp.uu.net/published/oreilly/nutshell/dnsbind/dns.tar.Z.
+
+ makezones works from a single file that looks like a forward zone file,
+ with some additional syntax for special cases. It is included in the
+ current BIND distribution. The newest version is always available for
+ anonymous ftp from
+
+ ftp://ftp.cus.cam.ac.uk/pub/software/programs/DNS/makezones
+
+ This package is mirrored at
+
+ ftp://ftp.njit.edu/pub/dns/cus.cam.ac/makezones
+
+ More information may be found using the DNS Resource Directory
+
+ http://www.dns.net/dnsrd
+
+
+-------------------------------
+
+Date: Thu Dec 1 11:09:11 EST 1994
+Subject: Q2.2 - DIG - Domain Internet Groper
+
+Q: Where can I find the latest version of DIG ?
+
+A: The latest and greatest, official, accept-no-substitutes version of DiG
+ is the one that comes with BIND. Get the latest kit.
+
+-------------------------------
+
+Date: Mon May 15 12:57:42 EDT 1995
+Subject: Q2.3 -DNS packet analyser
+
+Q: I'm looking for a Ethernet packet analyser of public domain or standard
+ (like tcpdump, snoop, packetman) that is able to determine DNS data
+ field protocol
+
+A: There is a free ethernet analyser called Ethload available for PC's
+ running DOS. The latest filename is ETHLD104.ZIP. It understands lots
+ of protocols including TCP/UDP. It'll look inside there and display
+ DNS/BOOTP/ICMP packets etc. (Ed. note: something nice for someone to
+ add to tcpdump ;^) ). Depending on the ethernet controller it's given
+ it'll perform slightly differently. It handles NDIS/Novell/Packet
+ drivers. It works best with Novell's promiscuous mode drivers.
+ A A SimTel mirror site should have the program available for anonymous
+ ftp. As an example,
+
+ ftp://oak.oakland.edu/SimTel/msdos/lan/ethld104.zip
+
+
+-------------------------------
+
+Date: Sun Dec 4 21:15:38 EST 1994
+Subject: Q2.4 - host
+
+A section from the host man page:
+
+ host looks for information about Internet hosts and domain
+ names. It gets this information from a set of intercon-
+ nected servers that are spread across the world. The infor-
+ mation is stored in the form of "resource records" belonging
+ to hierarchically organized "zones".
+
+ By default, the program simply converts between host names
+ and Internet addresses. However, with the -t, -a and -v
+ options, it can be used to find all of the information about
+ domain names that is maintained by the domain nameserver
+ system. The information printed consists of various fields
+ of the associated resource records that were retrieved.
+
+ The arguments can be either host names (domain names) or
+ numeric Internet addresses.
+
+'host' is compatible with both BIND 4.9 and BIND 4.8
+
+'host' may be found in contrib/host in the BIND distribution. The latest
+version always available for anonymous ftp from
+
+ ftp://ftp.nikhef.nl/pub/network/host.tar.Z
+
+It may also be found for anonymous ftp from
+
+ ftp://ftp.uu.net/networking/ip/dns/host.tar.Z
+
+-------------------------------
+
+Date: Fri Feb 10 15:25:11 EST 1995
+Subject: Q2.5 - Programming with DNS
+
+Q: How can I use DNS information in my program?
+
+A: It depends on precisely what you want to do:
+
+ a) Consider whether you need to write a program at all. It may well
+ be easier to write a shell program (e.g. using awk or perl) to parse
+ the output of dig, host or nslookup.
+
+ b) If all you need is names and addresses, there will probably be
+ system routines 'gethostbyname' and 'gethostbyaddr' to provide this
+ information.
+
+ c) If you need more details, then there are system routines (res_query
+ and res_search) to assist with making and sending DNS queries.
+ However, these do not include a routine to parse the resulting answer
+ (although routines to assist in this task are provided). There is a
+ separate library available that will take a DNS response and unpick
+ it into its constituent parts, returning a C structure that can be
+ used by the program. The source for this library is available for
+ anonymous ftp from
+
+ ftp://hpux.csc.liv.ac.uk/hpux/Networking/Admin/resparse-*
+
+
+-------------------------------
+
+
+Date: Wed May 3 12:46:50 EDT 1995
+Subject: Q2.6 - A source of information relating to DNS
+
+Q: Where can I find utilities and tools to help me manage my zone files ?
+
+A: There are several tools available. Please refer to the "tools" section
+ of the DNS resources directory:
+
+ http://www.dns.net/dnsrd/tools.html
+
+
+-------------------------------
+
+
+Date: Fri May 12 14:33:40 EDT 1995
+Subject: Q3.1 - TCP/IP Host Naming Conventions
+
+Q: Is a guide available relating to naming systems ?
+
+A: One guide/resource is RFC 1178, "Choosing a Name for Your Computer",
+ which is available via anonymous FTP from
+
+ ftp://ftp.internic.netrfc/rfc1178.txt
+
+ RFCs (Request For Comments) are specifications and guidelines for how
+ many aspects of TCP/IP and the Internet (should) work. Most RFCs are
+ fairly technical documents, and some have semantics that are hotly
+ contested in the newsgroups. But a few, like RFC 1178, are actually
+ good to read for someone who's just starting along a TCP/IP path.
+
+
+-------------------------------
+
+Date: Thu Dec 1 10:32:43 EST 1994
+Subject: Q3.2 - What are slaves and forwarders ?
+
+Q: What are slaves and forwarders ?
+
+A: "forwarders" is a list of NS records that are _prepended_ to a list
+ of NS records to query if the data is not available locally. This
+ allows a rich cache of records to be built up at a centralized
+ location. This is good for sites that have sporadic or very slow
+ connections to the Internet. (demand dial-up, for example) It's
+ also just a good idea for very large distributed sites to increase
+ the chance that you don't have to go off to the Internet to get an
+ IP address. (sometimes for addresses across the street!)
+
+ "slave" modifies this to say to replace the list of NS records
+ with the forwarders entry, instead of prepending to it. This is
+ for firewalled environments, where the nameserver can't directly
+ get out to the Internet at all.
+
+ "slave" is meaningless (and invalid, in late-model BINDs) without
+ "forwarders". "forwarders" is an entry in named.boot, and therefore
+ applies only to the nameserver (not to resolvers).
+
+-------------------------------
+
+Date: Mon Jan 2 13:15:13 EST 1995
+Subject: Q3.3 - When is a server authoritative?
+
+
+Q: What criteria does a server use to determine if it is authoritative
+ for a domain?
+
+A: In the case of BIND:
+ 1) The server contains current data in files for the zone in
+ question (Data must be current for secondaries, as defined
+ in the SOA)
+ 2) The server is told that it is authoritative for the zone, by
+ a 'primary' or 'secondary' keyword in /etc/named.boot.
+ 3) The server does an error-free load of the zone.
+
+Q: I have set up a DNS where there is an SOA record for
+ the domain, but the server still does not consider itself
+ authoritative. (I used nslookup and set server=the correct machine.)
+ It seems to me that something is not matching up somewhere. I suspect
+ that this is because the service provider has not given us control
+ over the IP numbers in our own domain, and so while the machine listed
+ has an A record for an address, there is no corresponding PTR record.
+
+A: That's possible too, but is unrelated to the first question.
+ You need to be delegated a zone before outside people will start
+ talking to your server. However, a server can still be authoritative
+ for a zone even though it hasn't been delegated authority (it's just
+ that only the people who use that as their server will see the data).
+
+ A server may consider itself non-authoritative even though it's a
+ primary if there is a syntax error in the zone (see point 3 above).
+
+Q: I always believe that it was the NS record that defined authoritative
+ servers.
+
+A: Nope, delegation is a separate issue from authoritativeness.
+ You can still be authoritative, but not delegated. (you can also be
+ delegated, but not authoritative -- that's a "lame delegation")
+
+Q: We have had problems in the past from servers that were
+ authoritative (primary or secondary) but no NS, so other thought they
+ were not. Some resolvers get very confused when they get non-
+ authoritative data from the primary server.
+
+A: Yes, that's a lame delegation. That's not caused by what you said,
+ but rather by a server which is _not_ authoritative for a zone, yet
+ someone else (the parent) is saying that a server is authoritative
+ (via the NS records).
+
+ The set of NS records in the parent zone must be a subset of the
+ authoritative servers to avoid lame delegations.
+
+
+-------------------------------
+
+Date: Fri Apr 28 13:26:37 EDT 1995
+Subject: Q3.4 - underscore in host-/domainnames
+
+
+Q: I had a quick look on whether underscores are allowed in host- or
+ domainnames.
+
+ RFC 1033 allows them.
+ RFC 1035 doesn't.
+ RFC 1123 doesn't.
+ dnswalk complains about them.
+
+ Which RFC is the final authority these days?
+
+A: Actually RFC 1035 deals with names of machines or names of
+ mail domains. i.e "_" is not permitted in a hostname or on the
+ RHS of the "@" in local@domain.
+
+ Underscore is permitted where ever the domain is NOT one of
+ these types of addresses.
+
+ In general the DNS mostly contains hostnames and mail domainnames.
+ This will change as new resource record types for authenticating DNS
+ queries start to appear.
+
+ The latest version of 'host' checks for illegal characters in A/MX
+ record names and the NS/MX target names.
+
+ After saying all of that, remember that RFC 1123 is a Required Internet
+ Standard (per RFC 1720), and RFC 1033 isn't. Even 1035 isn't a required
+ standard. Therefore, RFC 1123 wins, no contest.
+
+
+-------------------------------
+
+Date: Fri Dec 2 15:03:56 EST 1994
+Subject: Q3.5 - Lame delegation
+
+Q: What is lame delegation ?
+
+A: Two things are required for a lame delegation:
+ 1) A nameserver X is delegated as authoritative for a zone.
+ 2) Nameserver X is not performing nameservice for that zone.
+
+ Try to think of a lame delegation as a long-term condition, brought
+ about by a misconfiguration somewhere. Bryan Beecher's 1992 LISA
+ paper on lame delegations is good to read on this. The problem
+ really lies in misconfigured nameservers, not "lameness" brought
+ about by transient outages. The latter is common on the Internet
+ and hard to avoid, while the former is correctable.
+
+ In order to be performing nameservice for a zone, it must have
+ (presumed correct) data for that zone, and it must be answering
+ authoritatively to resolver queries for that zone. (The AA bit is
+ set in the flags section)
+
+ The "classic" lame delegation case is when nameserver X is delegated
+ as authoritative for domain Y, yet when you ask Y about X, it
+ returns non-authoritative data.
+
+ Here's an example that shows what happens most often (using dig,
+ dnswalk, and doc to find).
+
+ Let's say the domain bogus.com gets registered at the NIC and they
+ have listed 2 primary name servers, both from their *upstream*
+ provider:
+
+ bogus.com IN NS ns.bogus.com
+ bogus.com IN NS upstream.com
+ bogus.com IN NS upstream1.com
+
+ So the root servers have this info. But when the admins at
+ bogus.com actually set up their zone files they put something like:
+
+ bogus.com IN NS upstream.com
+ bogus.com IN NS upstream1.com
+
+ So your name server may have the nameserver info cached (which it
+ may have gotten from the root). The root says "go ask ns.bogus.com"
+ since they are authoritative
+
+ This is usually from stuff being registered at the NIC (either
+ nic.ddn.mil or rs.internic.net), and then updated later, but the
+ folks who make the updates later never let the folks at the NIC know
+ about it.
+
+Q: How can I see if the server is "lame" ?
+
+A: Go to the authoritative servers one level up, and ask them who
+ they think is authoritative, and then go ask each one of those
+ delegees if they think that they themselves are authoritative. If any
+ responds "no", then you know who the lame delegation is, and who is
+ delegating lamely to them. You can then send off a message to the
+ administrators of the level above.
+
+ The 'lamers' script from Byran Beecher really takes care of all this
+ for you. It parses the lame delegation notices from BIND's syslog
+ and summarizes them for you. It may be found in the contrib section
+ of the latest BIND distribution. The latest version is available
+ for anonymous ftp from
+
+ ftp://terminator.cc.umich.edu/dns/lame-delegations/
+
+ If you want to actively check for lame delegations, you can use 'doc'
+ and 'dnswalk'. You can check things manually with 'dig'.
+
+-------------------------------
+
+Date: Thu Dec 1 11:10:39 EST 1994
+Subject: Q3.6 - What does opt-class field do?
+
+Q: Just something I was wondering about: What does the opt-class
+ field in an name database do (the one that always says IN)?
+ What would happen if I put something else there instead?
+
+A: This field is the address class. From the BOG -
+
+ ...is the address class; currently, only one class
+ is supported: IN for internet addresses and other
+ internet information. Limited support is included for
+ the HS class, which is for MIT/Athena ``Hesiod''
+ information.
+
+-------------------------------
+
+Date: Fri Feb 10 14:49:54 EST 1995
+Subject: Q3.7 - Top level domains
+
+
+A section from RFC 1591:
+
+ 2. The Top Level Structure of the Domain Names
+
+ In the Domain Name System (DNS) naming of computers there is a
+ hierarchy of names. The root of system is unnamed. There are a set
+ of what are called "top-level domain names" (TLDs). These are the
+ generic TLDs (EDU, COM, NET, ORG, GOV, MIL, and INT), and the two
+ letter country codes from ISO-3166. It is extremely unlikely that
+ any other TLDs will be created.
+
+[ Ed note: the ISO-3166 country codes may be found for anonymous ftp from:
+
+ ftp://ftp.isi.edu/in-notes/iana/assignments/country-codes
+ ftp://ftp.ripe.net/iso3166-codes
+]
+
+ Under each TLD may be created a hierarchy of names. Generally, under
+ the generic TLDs the structure is very flat. That is, many
+ organizations are registered directly under the TLD, and any further
+ structure is up to the individual organizations.
+
+ In the country TLDs, there is a wide variation in the structure, in
+ some countries the structure is very flat, in others there is
+ substantial structural organization. In some country domains the
+ second levels are generic categories (such as, AC, CO, GO, and RE),
+ in others they are based on political geography, and in still others,
+ organization names are listed directly under the country code. The
+ organization for the US country domain is described in RFC 1480.
+
+ Each of the generic TLDs was created for a general category of
+ organizations. The country code domains (for example, FR, NL, KR,
+ US) are each organized by an administrator for that country. These
+ administrators may further delegate the management of portions of the
+ naming tree. These administrators are performing a public service on
+ behalf of the Internet community. Descriptions of the generic
+ domains and the US country domain follow.
+
+ Of these generic domains, five are international in nature, and two
+ are restricted to use by entities in the United States.
+
+ World Wide Generic Domains:
+
+ COM - This domain is intended for commercial entities, that is
+ companies. This domain has grown very large and there is
+ concern about the administrative load and system performance if
+ the current growth pattern is continued. Consideration is
+ being taken to subdivide the COM domain and only allow future
+ commercial registrations in the subdomains.
+
+ EDU - This domain was originally intended for all educational
+ institutions. Many Universities, colleges, schools,
+ educational service organizations, and educational consortia
+ have registered here. More recently a decision has been taken
+ to limit further registrations to 4 year colleges and
+ universities. Schools and 2-year colleges will be registered
+ in the country domains (see US Domain, especially K12 and CC,
+ below).
+
+ NET - This domain is intended to hold only the computers of network
+ providers, that is the NIC and NOC computers, the
+ administrative computers, and the network node computers. The
+ customers of the network provider would have domain names of
+ their own (not in the NET TLD).
+
+ ORG - This domain is intended as the miscellaneous TLD for
+ organizations that didn't fit anywhere else. Some non-
+ government organizations may fit here.
+
+ INT - This domain is for organizations established by international
+ treaties, or international databases.
+
+ United States Only Generic Domains:
+
+ GOV - This domain was originally intended for any kind of government
+ office or agency. More recently a decision was taken to
+ register only agencies of the US Federal government in this
+ domain. State and local agencies are registered in the country
+ domains (see US Domain, below).
+
+ MIL - This domain is used by the US military.
+
+ Example country code Domain:
+
+ US - As an example of a country domain, the US domain provides for
+ the registration of all kinds of entities in the United States
+ on the basis of political geography, that is, a hierarchy of
+ <entity-name>.<locality>.<state-code>.US. For example,
+ "IBM.Armonk.NY.US". In addition, branches of the US domain are
+ provided within each state for schools (K12), community
+ colleges (CC), technical schools (TEC), state government
+ agencies (STATE), councils of governments (COG),libraries
+ (LIB), museums (MUS), and several other generic types of
+ entities (see RFC 1480 for details).
+
+
+A section from RFC 1480:
+
+ 2. NAMING STRUCTURE
+
+ The US Domain hierarchy is based on political geography. The
+ basic name space under US is the state name space, then the
+ "locality" name space, (like a city, or county) then
+ organization or computer name and so on.
+
+ For example:
+
+ BERKELEY.CA.US
+ PORTLAND.WA.US
+
+ There is of course no problem with running out of names.
+
+ The things that are named are individual computers.
+
+ If you register now in one city and then move, the database can
+ be updated with a new name in your new city, and a pointer can
+ be set up from your old name to your new name. This type of
+ pointer is called a CNAME record.
+
+ The use of unregistered names is not effective and causes problems
+ for other users. Inventing your own name and using it without
+ registering is not a good idea.
+
+ In addition to strictly geographically names, some special names
+ are used, such as FED, STATE, AGENCY, DISTRICT, K12, LIB, CC,
+ CITY, and COUNTY. Several new name spaces have been created,
+ DNI, GEN, and TEC, and a minor change under the "locality" name
+ space was made to the existing CITY and COUNTY subdomains by
+ abbreviating them to CI and CO. A detailed description
+ follows.
+
+ Below US, Parallel to States:
+ -----------------------------
+
+ "FED" - This branch may be used for agencies of the federal
+ government. For example: <org-name>.<city>.FED.US
+
+ "DNI" - DISTRIBUTED NATIONAL INSTITUTES - The "DNI" branch was
+ created directly under the top-level US. This branch is to be used
+ for distributed national institutes; organizations that span state,
+ regional, and other organizational boundaries; that are national in
+ scope, and have distributed facilities. For example:
+ <org-name>.DNI.US.
+
+ Name Space Within States:
+ ------------------------
+
+ "locality" - cities, counties, parishes, and townships. Subdomains
+ under the "locality" would be like CI.<city>.<state>.US,
+ CO.<county>.<state>.US, or businesses. For example:
+ Petville.Marvista.CA.US.
+
+ "CI" - This branch is used for city government agencies and is a
+ subdomain under the "locality" name (like Los Angeles). For example:
+ Fire-Dept.CI.Los-Angeles.CA.US.
+
+ "CO" - This branch is used for county government agencies and is a
+ subdomain under the "locality" name (like Los Angeles). For example:
+ Fire-Dept.CO.San-Diego.CA.US.
+
+ "K12" - This branch may be used for public school districts. A
+ special name "PVT" can be used in the place of a school district name
+ for private schools. For example: <school-name>.K12.<state>.US and
+ <school-name>.PVT.K12.<state>.US.
+
+ "CC" - COMMUNITY COLLEGES - This branch was established for all state
+ wide community colleges. For example: <school-name>.CC.<state>.US.
+
+ "TEC" - TECHNICAL AND VOCATIONAL SCHOOLS - The branch "TEC" was
+ established for technical and vocational schools and colleges. For
+ example: <school-name>.TEC.<state>.US.
+
+ "LIB" - LIBRARIES (STATE, REGIONAL, CITY, COUNTY) - This branch may
+ be used for libraries only. For example: <lib-name>.LIB.<state>.US.
+
+ "STATE" - This branch may be used for state government agencies. For
+ example: <org-name>.STATE.<state>.US.
+
+ "GEN" - GENERAL INDEPENDENT ENTITY - This branch is for the things
+ that don't fit easily into any other structure listed -- things that
+ might fit in to something like ORG at the top-level. It is best not
+ to use the same keywords (ORG, EDU, COM, etc.) that are used at the
+ top-level to avoid confusion. GEN would be used for such things as,
+ state-wide organizations, clubs, or domain parks. For example:
+ <org-name>.GEN.<state-code>.US.
+
+ The application form for the US domain may be found for anonymous ftp
+ from:
+
+ ftp://internic.net/templates/us-domain-template.txt
+
+ The application form for the EDU, COM, NET, ORG, and GOV domains may be
+ found for anonymous ftp from:
+
+ ftp://internic.net/templates/domain-template.txt
+
+
+-------------------------------
+
+Date: Sun Nov 27 23:32:41 EST 1994
+Subject: Q3.8 - Classes of networks
+
+Q: I am just kind of curious to what exactly the differences in classes
+ of networks are (class A, B, C).
+
+A: An Internet Protocol (IP) address is 32 bit in length, divided into
+ two or three parts (the network address, the subnet address (if present),
+ and the host address. The subnet addresses are only present if the
+ network has been divided into subnetworks. The length of the network,
+ subnet, and host field are all variable.
+
+ There are five different network classes. The leftmost bits indicate
+ the class of the network.
+
+ # bits in # bits in
+ network host
+Class field field Internet Protocol address in binary Ranges
+============================================================================
+ A 7 24 0NNNNNNN.HHHHHHHH.HHHHHHHH.HHHHHHHH 1-127.x.x.x
+ B 14 16 10NNNNNN.NNNNNNNN.HHHHHHHH.HHHHHHHH 128-191.x.x.x
+ C 22 8 110NNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH 192-223.x.x.x
+ D NOTE 1 1110xxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx 224-239.x.x.x
+ E NOTE 2 11110xxx.xxxxxxxx.xxxxxxxx.xxxxxxxx 240-247.x.x.x
+
+ where N represents part of the network address and H represents part of
+ the host address. When the subnet address is defined, the needed bits
+ are assigned from the host address space.
+
+ NOTE 1: Reserved for multicast groups - RFC 1112
+ NOTE 2: Reserved for future use
+
+ 127.0.0.1 is reserved for local loopback.
+
+ Under the current arrangements, many class A IP numbers will not be
+ assigned whereas class C usage will be at a premium.
+
+-------------------------------
+
+
+Date: Fri Apr 28 13:31:24 EDT 1995
+Subject: Q3.9 - What is CIDR ?
+
+Q: What is CIDR ?
+
+A: CIDR is "Classless Inter-Domain Routing (CIDR). From RFC1517:
+
+ ...Classless Inter-Domain Routing (CIDR) attempts to deal with
+ these problems by defining a mechanism to slow the growth of
+ routing tables and reduce the need to allocate new IP network
+ numbers.
+
+ Much more information may be obtained in RFCs 1467, 1517, 1518, 1520;
+ with primary reference 1519
+
+
+-------------------------------
+
+
+Date: Fri Apr 28 13:31:24 EDT 1995
+Subject: Q3.10 - What is the rule for glue ?
+
+Q: What is the rule for glue ?
+
+A: A glue record is an A record for a name that appears on the right-hand
+ side of a NS record. So, if you have this:
+
+ sub.foobar.com. IN NS dns.sub.foobar.com.
+ dns.sub.foobar.com. IN A 1.2.3.4
+
+ then the second record is a glue record (for the NS record above it).
+
+ You need glue records when -- and only when -- you are delegating
+ authority to a nameserver that "lives" in the domain you are delegating
+ *and* you aren't a secondary server for that domain.
+
+ In other words, in the example above, you need to add an A record
+ for dns.sub.foobar.com since it "lives" in the domain it serves.
+ This boot strapping information is necessary: How are you supposed
+ to find out the IP address of the nameserver for domain FOO if the
+ nameserver for FOO "lives" in FOO?
+
+ If you have this NS record:
+
+ sub.foobar.com. IN NS dns.xyz123.com.
+
+ you do NOT need a glue record, and, in fact, adding one is a very
+ bad idea. If you add one, and then the folks at xyz123.com change
+ the address, then you will be passing out incorrect data.
+
+ Also, unless you actually have a machine called something.IN-ADDR.ARPA,
+ you will never have any glue records present in any of your "reverse"
+ files.
+
+ There is also a sort of implicit glue record that can be useful (or
+ confusing :^) ). If the parent server (abc.foobar.com domain in example
+ above) is a secondary server for the child, then the A record will be
+ fetched from the child server when the zone transfer is done. The glue
+ is still there but it's a little different, it's in the ip address in
+ the named.boot line instead of explicitly in the data. In this case
+ you can leave out the explicit glue A record and leave the manually
+ configured "glue" in just the one place in the named.boot file.
+
+ RFC 1537 says it quite nicely:
+
+ 2. Glue records
+
+ Quite often, people put unnecessary glue (A) records in their
+ zone files. Even worse is that I've even seen *wrong* glue records
+ for an external host in a primary zone file! Glue records need only
+ be in a zone file if the server host is within the zone and there
+ is no A record for that host elsewhere in the zone file.
+
+ Old BIND versions ("native" 4.8.3 and older versions) showed the
+ problem that wrong glue records could enter secondary servers in
+ a zone transfer.
diff --git a/contrib/bind/doc/misc/FAQ.2of2 b/contrib/bind/doc/misc/FAQ.2of2
new file mode 100644
index 0000000..ae453c9
--- /dev/null
+++ b/contrib/bind/doc/misc/FAQ.2of2
@@ -0,0 +1,1131 @@
+Newsgroups: comp.protocols.tcp-ip.domains,comp.answers,news.answers
+Path: vixie!news1.digital.com!uunet!in1.uu.net!usc!rutgers!njitgw.njit.edu!hertz.njit.edu!cdp2582
+From: cdp@njit.edu (Chris Peckham)
+Subject: comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ) (Part 2 of 2)
+Message-ID: <cptd-faq-2-810621452@njit.edu>
+Followup-To: comp.protocols.tcp-ip.domains
+Originator: cdp2582@hertz.njit.edu
+Keywords: BIND,DOMAIN,DNS
+Sender: news@njit.edu
+Supersedes: <cptd-faq-2-807632375@njit.edu>
+Nntp-Posting-Host: hertz.njit.edu
+X-Posting-Frequency: posted on the 1st of each month
+Reply-To: domain-faq@njit.edu (comp.protocols.tcp-ip.domains FAQ comments)
+Organization: NJIT.EDU - New Jersey Institute of Technology, Newark, NJ, USA
+References: <cptd-faq-1-810621452@njit.edu>
+Date: Sat, 9 Sep 1995 04:38:21 GMT
+Approved: news-answers-request@MIT.EDU
+Expires: Sat 14 Oct 95 00:37:32 EDT
+Lines: 1110
+Xref: vixie comp.protocols.tcp-ip.domains:6019 comp.answers:13882 news.answers:49919
+
+Posted-By: auto-faq 3.1.1.2
+Archive-name: internet/tcp-ip/domains-faq/part2
+Revision: 1.5 1995/05/12 18:50:41
+
+
+This FAQ is edited and maintained by Chris Peckham, <cdp@njit.edu>.
+The latest version may always be found for anonymous ftp from
+
+ ftp://rtfm.mit.edu/pub/usenet/news.answers/internet/tcp-ip/domains-faq
+ ftp://ftp.njit.edu/pub/dns/Comp.protocols.tcp-ip.domains.FAQ
+
+If you can contribute any answers for items in the TODO section, please do
+so by sending e-mail to domain-faq@njit.edu ! If you know of any items that
+are not included and you feel that they should be, send the relevant
+information to domain-faq@njit.edu.
+
+
+------------------------------
+
+Date: Fri May 12 14:41:47 EDT 1995
+Subject: Table of Contents
+
+Table of Contents
+=================
+Part 1
+------
+ 0. TO DO
+ 1. INTRODUCTION / MISCELLANEOUS
+ 1.1 What is this newsgroup ?
+ 1.2 More information
+ 1.3 What is BIND and where is the latest version of BIND ?
+ 1.4 How can I find the route between systems ?
+ 1.5 Finding the hostname if you have the tcp-ip address
+ 1.6 How to register a domain name
+ 1.7 Change of Domain name
+ 1.8 How memory and CPU does DNS use ?
+ 1.9 Other things to consider when planning your servers
+ 1.10 Proper way to get NS and reverse IP records into DNS
+ 1.11 How to get my address assign from NIC?
+ 1.12 Is there a block of private IP addresses I can use?
+ 1.13 Cache failed lookups
+ 1.14 What does an NS record really do ?
+ 1.15 DNS ports
+ 1.16 Obtaining the latest cache file
+ 2. UTILITIES
+ 2.1 Utilities to administer DNS zone files
+ 2.2 DIG - Domain Internet Groper
+ 2.3 DNS packet analyzer
+ 2.4 host
+ 2.5 Programming with DNS
+ 2.6 A source of information relating to DNS
+ 3. DEFINITIONS
+ 3.1 TCP/IP Host Naming Conventions
+ 3.2 Slaves and servers with forwarders
+ 3.3 When is a server authoritative?
+ 3.4 Underscore in host-/domain names
+ 3.5 Lame delegation
+ 3.6 What does opt-class field do?
+ 3.7 Top level domains
+ 3.8 Classes of networks
+ 3.9 What is CIDR ?
+ 3.10 What is the rule for glue ?
+
+Part 2
+------
+ 4. CONFIGURATION
+ 4.1 Changing a Secondary server to a Primary
+ 4.2 How do I subnet a Class B Address ?
+ 4.3 Subnetted domain name service
+ 4.4 Recommended format/style of DNS files
+ 4.5 DNS on a system not connected to the Internet
+ 4.6 Multiple Domain configuration
+ 4.7 wildcard MX records
+ 4.8 How to identify a wildcard MX record
+ 4.9 Why are fully qualified domain names recommended ?
+ 4.10 Distributing load using named
+ 4.11 Order of returned records
+ 4.12 resolv.conf
+ 4.13 Delegating authority
+ 4.14 DNS instead of NIS on a Sun OS 4.1.x system
+ 5. PROBLEMS
+ 5.1 No address for root server
+ 5.2 Error - No Root Nameservers for Class XX
+ 5.3 Bind 4.9.x and MX querying?
+ 5.4 Some root nameservers don't know localhost
+ 5.5 MX records and CNAMES and separate A records for MX targets
+ 5.6 NS is a CNAME
+ 5.7 Nameserver forgets own A record
+ 5.8 General problems (core dumps !)
+ 5.9 malloc and DECstations
+ 6. ACKNOWLEDGEMENTS
+
+------------------------------
+
+Date: Fri Dec 2 15:31:06 EST 1994
+Subject: Q4.1 - Changing a Secondary server to a Primary
+
+Q: Do I need to do anything special when I change a server from a secondary
+ to a primary ?
+
+A: For 4.8.3, it's prudent to kill and restart following any changes to
+ named.boot.
+
+ In BIND 4.9.3, you only have to kill and restart named if you change
+ a primary zone to a secondary or v-v, or if you delete a zone and
+ remain authoritative for its parent. Every other case should be
+ taken care of by a HUP. (Ed. note: 4.9.3b9 may still require you to
+ kill and restart the server due to some bugs in the HUP code).
+
+ You will also need to update the server information on the root servers.
+ You can do this by filing a new domain registration form to inform
+ InterNIC of the change. They will then update the root server's SOA
+ records. This process usually takes 10-12 business days after they
+ receive the request.
+
+-------------------------------
+
+Date: Fri Apr 28 13:34:52 EDT 1995
+Subject: Q4.2 - How do I subnet a Class B Address ?
+
+Q: I just received a Class B internet address and I am wondering where to
+ get an RFC or other information on how to properly to the TCP/IP
+ sub-netting.
+
+A: That you need to subnet at all is something of a misconception. You
+ can also think of a class B network as giving you 65,534 individual
+ hosts, and such a network will work. You can also configure your
+ class B as 16,384 networks of 2 hosts each. That's obviously not
+ very practical, but it needs to be made clear that you are not
+ constrained by the size of an octet (remember that many older
+ devices would not work in a network configured in this manner).
+
+ So, the question is: why do you need to subnet? One reason is that
+ it is easier to manage a subnetted network, and in fact, you can
+ delegate the responsibility for address space management to local
+ administrators on the various subnets. Also, IP based problems will
+ end up localized rather than affecting your entire network.
+
+ If your network is a large backbone with numerous segments
+ individually branching off the backbone, that too suggests
+ subnetting.
+
+ Subnetting can also be used to improve routing conditions.
+
+ You may wish to partition your network to disallow certain protocols
+ on certain segments of your net. You can, for example, restrict IP or
+ IPX to certain segments only by adding a router routing high level
+ protocols, and across the router you may have to subnet.
+
+ Finally, as far as how many subnets you need depends on the answer to
+ the above question. As far as subnet masks are concerned, the mask
+ can be anything from 255.0.0.0 to 255.255.255.252. You'll probably be
+ looking at 9 or 10 bits for the subnet (last octet 128 or 192
+ respectively). RFC1219 discusses the issue of subnetting very well
+ and leaves the network administrator with a large amount of flexibility
+ for future growth.
+
+
+------------------------------
+
+Date: Sun Nov 27 23:32:41 EST 1994
+Subject: Q4.3 -Subnetted domain name service
+
+Q: After doing some reading (DNS and BIND, Albitz&Liu), I don't really
+ find any examples of handling subnetted class C networks as separate
+ DNS domains.
+
+A: This is possible, just messy. You need to delegate down to the
+ fourth octet, so you will have one domain per IP address ! Here is
+ how you can subdelegate a in-addr.arpa address for non-byte aligned
+ subnet masks:
+
+ Take as an example the net 192.1.1.x, and example subnet mask
+ 255.255.255.240.
+
+ We first define the domain for the class C net,
+
+$origin 1.1.192.in-addr.arpa
+@ SOA (usual stuff)
+@ ns some.nameserver
+ ns some.other.nameserver
+; delegate a subdomain
+one ns one.nameserver
+ ns some.nameserver
+; delegate another
+two ns two.nameserver
+ ns some.nameserver
+; CNAME pointers to subdomain one
+0 CNAME 0.one
+1 CNAME 1.one
+; through
+15 CNAME 15.one
+; CNAME pointers to subdomain two
+16 CNAME 16.two
+17 CNAME 17.two
+31 CNAME 31.two
+; CNAME as many as required.
+
+
+ Now, in the delegated nameserver, one.nameserver
+
+$origin one.1.1.192.in-addr.arpa
+@ SOA (usual stuff)
+ NS one.nameserver
+ NS some.nameserver ; secondary for us
+0 PTR onenet.one.domain
+1 PTR onehost.one.domain
+; through
+15 PTR lasthost.one.domain
+
+ And similar for the two.1.1.192.in-addr.arpa delegated domain.
+
+
+------------------------------
+
+Date: Sun Nov 27 23:32:41 EST 1994
+Subject: Q4.4 - Recommended format/style of DNS files
+
+Q: Are there any suggestions for how to layout DNS configuration files
+ (both forward and reverse)?
+
+A: This answer is quoted from an article posted by Paul Vixie:
+
+ I've gone back and forth on the question of whether the BOG should
+ include a section on this topic. I know what I myself prefer, but
+ I'm wary of ramming my own stylistic preferences down the throat of
+ every BOG reader. But since you ask :-)...
+
+ Create /var/named. If your system is too old to have a /var, either
+ create one or use /usr/local/adm/named instead. Put your named.boot
+ in it, and make /etc/named.boot a symlink to it. If your system
+ doesn't have symlinks, you're S-O-L (but you knew that). In
+ named.boot, put a "directory" directive that specifies your actual
+ BIND working directory:
+
+ directory /var/named
+
+ All relative pathnames used in "primary", "secondary", and "cache"
+ directives will be evaluated relative to this directory. Create two
+ subdirectories, /var/named/pri and /var/named/sec. Whenever you add
+ a "primary" directive to your named.boot, use "pri/WHATEVER" as the
+ path name. And then put the primary zone file into "pri/WHATEVER".
+ Likewise when you add "secondary" directives, use "sec/WHATEVER" and
+ BIND (really named-xfer) will create the files in that
+ subdirectory.
+
+ (Variations: (1) make a midlevel directory "zones" and put "pri" and
+ "sec" into it; (2) if you tend to pick up a lot of secondaries from
+ a few hosts, group them together in their own subdirectories --
+ something like /var/named/zones/uucp if you're a UUCP Project name
+ server.)
+
+ For your forward files, name them after the zone. dec.com becomes
+ "/var/named/zones/pri/dec.com". For your reverse files, name them
+ after the network number. 0.1.16.in-addr.arpa becomes
+ "/var/named/zones/pri/16.1.0".
+
+ When creating or maintaining primary zone files, try to use the same
+ SOA values everywhere, except for the serial number which varies per
+ zone. Put a $ORIGIN directive at the top of the primary zone file,
+ not because its needed (it's not since the default origin is the
+ zone named in the "primary" directive) but because it make it easier
+ to remember what you're working on when you have a lot of primary
+ zones. Put some comments up there indicating contact information
+ for the real owner if you're proxying. Use RCS and put the "Id"
+ in a ";" comment near the top of the zone file.
+
+ The SOA and other top level information should all be listed
+ together. But don't put IN on every line, it defaults nicely. For
+ example:
+
+==============
+@ IN SOA gw.home.vix.com. postmaster.vix.com. (
+ 1994082501 ; serial
+ 3600 ; refresh (1 hour)
+ 1800 ; retry (30 mins)
+ 604800 ; expire (7 days)
+ 3600 ) ; minimum (1 hour)
+
+ NS gw.home.vix.com.
+ NS ns.uu.net.
+ NS uucp-gw-1.pa.dec.com.
+ NS uucp-gw-2.pa.dec.com.
+
+ MX 10 gw.home.vix.com.
+ MX 20 uucp-gw-1.pa.dec.com.
+ MX 20 uucp-gw-1.pa.dec.com.
+==============
+
+ I don't necessarily recommend those SOA values. Not every zone is
+ as volatile as the example shown. I do recommend that serial number
+ format; it's in date format with a 2-digit per-day revision number.
+ This format will last us until 2147 A.D. at which point I expect a
+ better solution will have been found :-). (Note that it would last
+ until 4294 A.D. except that there are some old BINDs out there that
+ use a signed quantity for representing serial number interally; I
+ suppose that as long as none of these are still running after 2047
+ A.D., that we can use the above serial number format until 4294
+ A.D., at which point a better solution will HAVE to be found.)
+
+ You'll note that I use a tab stop for "IN" even though I never again
+ specify it. This leaves room for names longer than 7 bytes without
+ messing up the columns. You might also note that I've put the MX
+ priority and destination in the same tab stop; this is because both
+ are part of the RRdata and both are very different from MX which is
+ an RRtype. Some folks seem to prefer to group "MX" and the priority
+ together in one tab stop. While this looks neat it's very confusing
+ to newcomers and for them it violates the law of least
+ astonishment.
+
+ If you have a multi-level zone (one which contains names that have
+ dots in them), you can use additional $ORIGIN statements but I
+ recommend against it since there is no "back" operator. That is,
+ given the above example you can add:
+
+=============
+$ORIGIN home
+gw A 192.5.5.1
+=============
+
+ The problem with this is that subsequent RR's had better be
+ somewhere under the "home.vix.com" name or else the $ORIGIN that
+ introduces them will have to use a fully qualified name. FQDN
+ $ORIGIN's aren't bad and I won't be mad if you use them.
+ Unqualified ones as shown above are real trouble. I usually stay
+ away from them and just put the whole name in:
+
+=============
+gw.home A 192.5.5.1
+=============
+
+ In your reverse zones, you're usually in some good luck because the
+ owner name is usually a single short token or sometimes two.
+
+=============
+$ORIGIN 5.5.192.in-addr.arpa.
+@ IN SOA ...
+ NS ...
+1 PTR gw.home.vix.com.
+=========================================
+$ORIGIN 1.16.in-addr.arpa.
+@ IN SOA ...
+ NS ...
+2.0 PTR gatekeeper.dec.com.
+=============
+
+ It is usually pretty hard to keep your forward and reverse zones in
+ synch. You can avoid that whole problem by just using "h2n" (see
+ the ORA book, DNS and BIND, and its sample toolkit, included in the
+ BIND distribution or on ftp.uu.net (use the QUOTE SITE EXEC INDEX
+ command there to find this -- I never can remember where it's at).
+ "h2n" and many tools like it can just read your old /etc/hosts file
+ and churn it into DNS zone files. (May I recommend
+ contrib/decwrl/mkdb.pl from the BIND distribution?) However, if you
+ (like me) prefer to edit these things by hand, you need to follow
+ the simple convention of making all of your holes consistent. If
+ you use 192.5.5.1 and 192.5.5.3 but not (yet) 192.5.5.2, then in
+ your forward file you will have something like
+
+=============
+...
+gw.home A 192.5.5.1
+;avail A 192.5.5.2
+pc.home A 192.5.5.3
+=============
+
+ and in your reverse file you will have something like
+
+=============
+...
+1 PTR gw.home.vix.com.
+;2 PTR avail
+3 PTR pc.home.vix.com.
+=============
+
+ This convention will allow you to keep your sanity and make fewer
+ errors. Any kind of automation (h2n, mkdb, or your own
+ perl/tcl/awk/python tools) will help you maintain a consistent
+ universe even if it's also a complex one. Editing by hand doesn't
+ have to be deadly but you MUST take care.
+
+------------------------------
+
+Date: Sun Nov 27 23:32:41 EST 1994
+Subject: Q4.5 - DNS on a system not connected to the Internet
+
+
+Q: How do I use DNS on a system that is not connected to the Internet or
+ set BIND up with an internal root server ?
+
+A: You need to create your own root domain name server until you connect
+ to the internet. Your roots need to delegate to mydomain.com and any
+ in-addr.arpa subdomains you might have, and that's about it. As
+ soon as you're connected, rip out the fake roots and use the real
+ ones.
+
+ It does not actually have to be another server pretending to be the root.
+ You can set up the name server so that it is primary for each domain
+ above you and leave them empty (i.e. you are foo.bar.com - claim to be
+ primary for bar.com and com)
+
+Q: What if you connect intermittently and want DNS to work when you are
+ connected, and "fail" when you are not ?
+
+A: You can point the resolver at the name server at the remote site and
+ if the connection (SLIP/PPP) isn't up, the resolver doesn't have a
+ route to the remote server and since there's only one name server in
+ resolv.conf, the resolver quickly backs off the using /etc/hosts.
+ No problem. You could do the same with multiple name server and a
+ resolver that did configurable /etc/hosts fallback.
+
+------------------------------
+
+Date: Fri Dec 2 15:40:49 EST 1994
+Subject: Q4.6 -Multiple Domain configuration
+
+
+Q: I have seen sites that seem to have multiple domain names pointing to the
+ same destination. I would like to implement this and have found no
+ information explaining how to do it. What I would like to do is:
+
+ ftp ftp.biff.com connects user to -> ftp.biff.com
+ ftp ftp.fred.com connects user to -> ftp.biff.com
+ ftp ftp.bowser.com connects user to -> ftp.biff.com
+
+A: This is done through CNAME records:
+
+ ftp.bowser.com. IN CNAME ftp.biff.com.
+
+ You can also do the same thing with multiple A records.
+
+
+------------------------------
+
+Date: Sun Nov 27 23:32:41 EST 1994
+Subject: Q4.7 - wildcard MX records
+
+Q: Does BIND not understand wildcard MX records such as the following?
+
+ *.foo.com MX 0 mail.foo.com.
+
+A: Explicit RR's at one level of specificity will, by design, "block" a
+ wildcard at a lesser level of specificity. I suspect that you have
+ an RR (an A RR, perhaps?) for "bar.foo.com" which is blocking the
+ application of your "*.foo.com" wildcard. The initial MX query is
+ thus failing (NOERROR but an answer count of 0), and the backup
+ query finds the A RR for "bar.foo.com" and uses it to deliver the
+ mail directly (which is what you DIDN'T want it to do). Adding an
+ explicit MX RR for the host is therefore the right way to handle
+ this situation.
+
+ See RFC 1034, Section 4.3.3 ("Wildcards") for more information on
+ this "blocking" behavior, along with an illustrative example. See
+ also RFC 974 for an explanation of standard mailer behavior in the
+ face of an "empty" response to one's MX query.
+
+ Basically, what it boils down to is, there is no point in trying to
+ use a wildcard MX for a host which is otherwise listed in the DNS.
+ It just doesn't work.
+
+------------------------------
+
+Date: Thu Dec 1 11:10:39 EST 1994
+Subject: Q4.8 - How to identify a wildcard MX record
+
+
+Q: How do you identify a wildcard MX record ?
+
+A: You don't really need to "identify" a wildcard MX RR. The precedence
+ for u@dom is:
+
+ exact match MX
+ exact match A
+ wildcard MX
+
+ One way to implement this is to query for ("dom",IN,MX) and if the
+ answer name that comes back is "*." something, you know it's a
+ wildcard, therefore you know there is no exact match MX, and you
+ therefore query for ("dom",IN,A) and if you get something, use it.
+ if you don't, use the previous wildcard response.
+
+ RFC 974 explains this pretty well.
+
+------------------------------
+
+Date: Sun Nov 27 23:32:41 EST 1994
+Subject: Q4.9 - Why are fully qualified domain names recommended ?
+
+
+Q: Why are fully qualified domain names recommended ?
+
+A: The documentation for BIND 4.9.2 says that the hostname should be set
+ to the full domain style name (i.e host.our.domain rather than
+ host). What advantages are there in this, and are there any adverse
+ consequences if we don't?
+
+A: Paul Vixie likes to do it :-) He lists a few reasons -
+
+ * Sendmail can be configured to just use Dj$w rather than
+ Dj$w.mumble where "mumble" is something you have to edit in by
+ hand. Granted, most people use "mumble" elsewhere in their config
+ files ("tack on local domain", etc) but why should it be a
+ requirement ?
+
+ * The real reason is that not doing it violates a very useful invariant:
+
+ gethostbyname(gethostname) == gethostbyaddr(primary_interface_address)
+
+ If you take an address and go "backwards" through the PTR's with
+ it, you'll get a FQDN, and if you push that back through the A
+ RR's, you get the same address. Or you should. Many multi-homed
+ hosts violate this uncaringly.
+
+ If you take a non-FQDN hostname and push it "forwards" through the
+ A RR's, you get an address which, if you push it through the
+ PTR's, comes back as a FQDN which is not the same as the hostname
+ you started with. Consider the fact that, absent NIS/YP, there is
+ no "domainname" command analogous to the "hostname" command.
+ (NIS/YP's doesn't count, of course, since it's
+ sometimes-but-only-rarely the same as the Internet domain or
+ subdomain above a given host's name.) The "domain" keyword in
+ resolv.conf doesn't specify the parent domain of the current host;
+ it specifies the default domain of queries initiated on the
+ current host, which can be a very different thing. (As of RFC
+ 1535 and BIND 4.9.2's compliance with it, most people use "search"
+ in resolv.conf, which overrides "domain", anyway.)
+
+ What this means is that there is NO authoritative way to
+ programmatically discover your host's FQDN unless it is set in the
+ hostname, or unless every application is willing to grovel the
+ "netstat -in" tables, find what it hopes is the primary address,
+ and do a PTR query on it.
+
+ FQDN /bin/hostnames are, intuitively or not, the simplest way to go.
+
+------------------------------
+
+Date: Wed Mar 1 11:04:43 EST 1995
+Subject: Q4.10 - Distributing load using named
+
+Q: If you attempt to distribute the load on a system using named, won't
+ the first response be cached, and then later queries use the cached
+ value? (This would be for requests that come through the same
+ server.)
+
+A: Yes. So it can be useful to use a lower TTL on records where this is
+ important. You can use values like 300 or 500 seconds.
+
+ If your local caching server has ROUND_ROBIN, it does not matter
+ what the authoritative servers have -- every response from the cache
+ is rotated.
+
+ But if it doesn't, and the authoritative server site is depending on
+ this feature (or the old "shuffle-A") to do load balancing, then if
+ one doesn't use small TTLs, one could conceivably end up with a
+ really nasty situation, e.g., hundreds of workstations at a branch
+ campus pounding on the same front end at the authoritative server's
+ site during class registration.
+
+ Not nice.
+
+A: Paul Vixie has an example of the ROUND_ROBIN code in action. Here is
+ something that he wrote regarding his example:
+
+ >I want users to be distributed evenly among those 3 hosts.
+
+ Believe it or not :-), BIND offers an ugly way to do this. I offer
+ for your collective amusement the following snippet from the
+ ugly.vix.com zone file:
+
+ hydra cname hydra1
+ cname hydra2
+ cname hydra3
+ hydra1 a 10.1.0.1
+ a 10.1.0.2
+ a 10.1.0.3
+ hydra2 a 10.2.0.1
+ a 10.2.0.2
+ a 10.2.0.3
+ hydra3 a 10.3.0.1
+ a 10.3.0.2
+ a 10.3.0.3
+
+ Note that having multiple CNAME RR's at a given name is
+ meaningless according to the DNS RFCs but BIND doesn't mind (in
+ fact it doesn't even complain). If you call
+ gethostbyname("hydra.ugly.vix.com") (try it!) you will get
+ results like the following. Note that there are two round robin
+ rotations going on: one at ("hydra",CNAME) and one at each
+ ("hydra1",A) et al. I used a layer of CNAME's above the layer of
+ A's to keep the response size down. If you don't have nine
+ addresses you probably don't care and would just use a pile of
+ CNAME's pointing directly at real host names.
+
+ {hydra.ugly.vix.com}
+ name: hydra2.ugly.vix.com
+ aliases: hydra.ugly.vix.com
+ addresses: 10.2.0.2 10.2.0.3 10.2.0.1
+
+ {hydra.ugly.vix.com}
+ name: hydra3.ugly.vix.com
+ aliases: hydra.ugly.vix.com
+ addresses: 10.3.0.2 10.3.0.3 10.3.0.1
+
+ {hydra.ugly.vix.com}
+ name: hydra1.ugly.vix.com
+ aliases: hydra.ugly.vix.com
+ addresses: 10.1.0.2 10.1.0.3 10.1.0.1
+
+ {hydra.ugly.vix.com}
+ name: hydra2.ugly.vix.com
+ aliases: hydra.ugly.vix.com
+ addresses: 10.2.0.3 10.2.0.1 10.2.0.2
+
+ {hydra.ugly.vix.com}
+ name: hydra3.ugly.vix.com
+ aliases: hydra.ugly.vix.com
+ addresses: 10.3.0.3 10.3.0.1 10.3.0.2
+
+
+------------------------------
+
+Date: Sun Dec 4 22:12:32 EST 1994
+Subject: Q4.11 - Order of returned records
+
+Q: Is there any way to tell named to return records, specifically
+ address records, in the order in which they are listed in the
+ database?
+
+ It would appear that named consistently applies a sorting algorithm
+ to address records which seems to be virtually guaranteed to be
+ pessimal for our routers, which have many A records.
+
+A: Sorting, is the *resolver's* responsibility. RFC 1123:
+
+ 6.1.3.4 Multihomed Hosts
+
+ When the host name-to-address function encounters a host
+ with multiple addresses, it SHOULD rank or sort the
+ addresses using knowledge of the immediately connected
+ network number(s) and any other applicable performance or
+ history information.
+
+ DISCUSSION:
+ The different addresses of a multihomed host generally
+ imply different Internet paths, and some paths may be
+ preferable to others in performance, reliability, or
+ administrative restrictions. There is no general way
+ for the domain system to determine the best path. A
+ recommended approach is to base this decision on local
+ configuration information set by the system
+ administrator.
+
+ In BIND 4.9.x's resolver code, the "sortlist" directive in resolv.conf
+ can be used to configure this.
+
+------------------------------
+
+Date: Fri Feb 10 15:46:17 EST 1995
+Subject: Q4.12 - resolv.conf
+
+
+Q: Why should I use "real" IP addresses in /etc/resolv.conf and not 0.0.0.0
+ or 127.0.0.1.
+
+A: Paul Vixie writes on the issue of the contents of resolv.conf:
+
+ It's historical. Some kernels can't unbind a UDP socket's source
+ address, and some resolver versions (notably not including BIND
+ 4.9.2 or 4.9.3's) try to do this. The result can be wide area
+ network traffic with 127.0.0.1 as the source address. Rather than
+ giving out a long and detailed map of version/vendor combinations of
+ kernels/BINDs that have/don't this problem, I just tell folks not to
+ use 127.0.0.1 at all.
+
+ 0.0.0.0 is just an alias for the first interface address assigned
+ after a system boot, and if that interface is a up-and-down point to
+ point link (PPP, SLIP, whatever), there's no guarantee that you'll
+ be able to reach yourself via 0.0.0.0 during the entire lifetime of
+ any system instance. On most kernels you can finesse this by adding
+ static routes to 127.0.0.1 for each of your interface addresses, but
+ some kernels don't like that trick and rather than give a detailed
+ map of which ones work and which ones don't, I just globally
+ recommend against 0.0.0.0.
+
+ If you know enough to know that 127.0.0.1 or 0.0.0.0 is safe on your
+ kernel and resolver, then feel free to use them. If you don't know
+ for sure that it is safe, don't use them. I never use them (except
+ on my laptop, whose hostname is "localhost" and whose 0.0.0.0 is
+ 127.0.0.1 since I ifconfig my lo0 before any other interface). The
+ operational advantage to using a real IP address rather than an
+ wormhole like 0.0.0.0 or 127.0.0.1, is that you can then "rdist" or
+ otherwise share identical copies of your resolv.conf on all the
+ systems on any given subnet, not all of which will be servers.
+
+A: The problem was with older versions of the resolver (4.8.X). If you
+ listed 127.0.0.1 as the first entry in resolv.conf, and for whatever
+ reason the local name server wasn't running and the resolver fell
+ back to the second name server listed, it would send queries to the
+ name server with the source IP address set to 127.0.0.1 (as it was
+ set when the resolver was trying to send to 127.0.0.1--you use the
+ loopback address to send to the loopback address).
+
+------------------------------
+
+Date: Mon Jan 2 13:50:13 EST 1995
+Subject: Q4.13 - Delegating authority
+
+Q: How do I delegate authority for domains within my domain ?
+
+A: When you start having a very big domain that can be broken into logical
+ and separate entities that can look after their own DNS information,
+ you will probably want to do this. Maintain a central area for the
+ things that everyone needs to see and delegate the authority for the
+ other parts of the organization so that they can manage themselves.
+
+ Another essential piece of information is that every domain that
+ exists must have it NS records associated with it. These NS records
+ denote the name servers that are queried for information about that
+ zone. For your zone to be recognized by the outside world, the
+ server responsible for the zone above you must have created a NS
+ record for your machine in your domain. For example, putting the
+ computer club onto the network and giving them control over their
+ own part of the domain space we have the following.
+
+ The machine authorative for gu.uwa.edu.au is mackerel and the machine
+ authorative for ucc.gu.uwa.edu.au is marlin.
+
+ in mackerel's data for gu.uwa.edu.au we have the following
+
+ @ IN SOA ...
+ IN A 130.95.100.3
+ IN MX mackerel.gu.uwa.edu.au.
+ IN MX uniwa.uwa.edu.au.
+
+ marlin IN A 130.95.100.4
+
+ ucc IN NS marlin.gu.uwa.edu.au.
+ IN NS mackerel.gu.uwa.edu.au.
+
+ Marlin is also given an IP in our domain as a convenience. If they
+ blow up their name serving there is less that can go wrong because
+ people can still see that machine which is a start. You could place
+ "marlin.ucc" in the first column and leave the machine totally
+ inside the ucc domain as well.
+
+ The second NS line is because mackerel will be acting as secondary name
+ server for the ucc.gu domain. Do not include this line if you are not
+ authorative for the information included in the sub-domain.
+
+
+------------------------------
+
+Date: Wed Mar 1 11:45:00 EST 1995
+Subject: Q4.14 - DNS instead of NIS on a Sun OS 4.1.x system
+
+Q: I would appreciate any comments on whether running bind 4.9.x will
+ enable sendmail, ftp, telnet and other TCP/IP services to bypass
+ NIS and connect directly to named.
+
+A: How to do this is documented quite well in the comp.sys.sun.admin FAQ in
+ questions one and two. You can get them from:
+
+ ftp://thor.ece.uc.edu/pub/sun-faq/FAQs/sun-faq.general
+ http://www.cis.ohio-state.edu/hypertext/faq/usenet/comp-sys-sun-faq
+
+ as well as from rtfm.mit.edu in the usual place, etc.
+
+
+------------------------------
+
+Date: Mon Jan 2 13:49:43 EST 1995
+Subject: Q5.1 - No address for root server
+
+
+Q: I've been getting the following messages lately from bind-4.9.2..
+ ns_req: no address for root server
+
+We are behind a firewall and have the following for our named.cache file -
+
+ ; list of servers
+ . 99999999 IN NS POBOX.FOOBAR.COM.
+ 99999999 IN NS FOOHOST.FOOBAR.COM.
+ foobar.com. 99999999 IN NS pobox.foobar.com.
+
+A: You can't do that. Your nameserver contacts POBOX.FOOBAR.COM, gets the
+ correct list of root servers from it, then tries again and fails
+ because of your firewall.
+
+ You will need a 'forwarder' definition, to ensure that all requests
+ are forwarded to a host which can penetrate the firewall. And
+ it is unwise to put phony data into 'named.cache'.
+
+------------------------------
+
+Date: Sun Nov 27 23:32:41 EST 1994
+Subject: Q5.2 - Error - No Root Nameservers for Class XX
+
+Q: I've received errors before about "No root nameservers for class XX"
+ but they've been because of network connectivity problems.
+ I believe that Class 1 is Internet Class data.
+ And I think I heard someone say that Class 4 is Hesiod??
+ Does anyone know what the various Class numbers are?
+
+A: From RFC 1700:
+
+ DOMAIN NAME SYSTEM PARAMETERS
+ The Internet Domain Naming System (DOMAIN) includes several
+ parameters. These are documented in [RFC1034] and [RFC1035]. The
+ CLASS parameter is listed here. The per CLASS parameters are
+ defined in separate RFCs as indicated.
+
+ Domain System Parameters:
+
+ Decimal Name References
+ -------- ---- ----------
+ 0 Reserved [PM1]
+ 1 Internet (IN) [RFC1034,PM1]
+ 2 Unassigned [PM1]
+ 3 Chaos (CH) [PM1]
+ 4 Hesoid (HS) [PM1]
+ 5-65534 Unassigned [PM1]
+ 65535 Reserved [PM1]
+
+DNS information for RFC 1700 was taken from
+
+ ftp://ftp.isi.edu/in-notes/iana/assignments/dns-parameters
+
+ Hesiod is class 4, and there are no official root nameservers for class
+ 4, so you can safely declare yourself one if you like. You might want
+ to put up a packet filter so that no one outside your network is capable
+ of making Hesiod queries of your machines, if you define yourself to be
+ a root nameserver for class 4.
+
+------------------------------
+
+Date: Sun Nov 27 23:32:41 EST 1994
+Subject: Q5.3 - Bind 4.9.x and MX querying?
+
+
+Q: If I query a 4.9.x DNS server for MX records, a list of the MX records
+ as well as a list of the authorative nameservers is returned. Why ?
+
+A: Bind 4.9.2 returns the list of nameserver that are authorative
+ for a domain in the response packet, along with their IP
+ addresses in the additional section.
+
+------------------------------
+
+Date: Sat Sep 9 00:36:01 EDT 1995
+Subject: Q5.4 - Some root nameservers don't know localhost
+
+Q: Do I need to define an A record for localhost ?
+
+ Where is the A record for 127.0.0.1 defined? I see where
+ the PTR record is defined pointing to localhost, but can't find
+ where the A record is. And is the A record supposed to be
+ localhost.MY_DOMAIN or just localhost ?
+
+A: Somewhere deep in the BOG (BIND Operations Guide) that came with
+ 4.9.3 (section 5.4.3), it says that you define this yourself
+ (if need be) in the same zone files as your "real" IP addresses
+ for your domain. Quoting the BOG:
+
+ ... As implied by this PTR
+ record, there should be a ``localhost.my.dom.ain''
+ A record (with address 127.0.0.1) in every domain
+ that contains hosts. ``localhost.'' will lose its
+ trailing dot when 1.0.0.127.in-addr.arpa is queried
+ for;...
+
+ The sample files in the BIND distribution show you what needs to be
+ done (see the BOG).
+
+ Some HP boxen (especially those running HP OpenView) will also need
+ "loopback" defined with this IP address. You may set it as a CNAME
+ record pointing to the "localhost." record.
+
+------------------------------
+
+Date: Sun Nov 27 23:32:41 EST 1994
+Subject: Q5.5 - MX records and CNAMES and separate A records for MX targets
+
+Q: The O'Reilly "DNS and Bind" book warns against using non-canonical
+ names in MX records, however, this warning is given in the context
+ of mail hubs that MX to each other for backup purposes. I don't see
+ how this applies to mail spokes. RFC 974 has a similar warning, but
+ I can not see where it specifically prohibits using an alias in an
+ MX record.
+
+A: Without the restrictions in the RFC, a MTA must request the A records
+ for every MX listed to determine if it is in the MX list then reduce
+ the list. This introduces many more lookups than would other wise be
+ required. If you are behind a 1200 bps link YOU DON'T WANT TO DO
+ THIS. The addresses associated with CNAMES are not passed as
+ additional data so you will force additional traffic to result even
+ if you are running a caching server locally.
+
+ There is also the problem of how does the MTA find all of it's
+ IP addresses. This is not straight forward. You have to be able
+ to do this is you allow CNAMEs (or extra A's) as MX targets.
+
+ The letter of the law is that an MX record should point to an A record.
+
+ There is no "real" reason to use CNAMEs for MX targets or separate
+ As for nameservers any more. CNAMEs for services other than mail
+ should be used because there is no specified method for locating the
+ desired server yet.
+
+ People don't care what the names of MX targets are. They're
+ invisible to the process anyway. If you have mail for "mary"
+ redirected to "sue" is totally irrelevant. Having CNAMEs as the
+ targets of MX's just needlessly complicates things, and is more work
+ for the resolver.
+
+ Having separate A's for nameservers like "ns.your.domain" is
+ pointless too, since again nobody cares what the name of your
+ nameserver is, since that too is invisible to the process. If you
+ move your nameserver from "mary.your.domain" to "sue.your.domain"
+ nobody need care except you and your parent domain administrator
+ (and the InterNIC). Even less so for mail servers, since only you
+ are affected.
+
+Q: Given the example -
+
+ hello in cname realname
+ mailx in mx 0 hello
+
+ Now, while reading the operating manual of bind it clearly states
+ that this is *not* valid. These two statements clearly contradict
+ each other. Is there some later rfc than 974 that overrides what is
+ said in there with respect to MX and CNAMEs? Anyone have the
+ reference handy?
+
+A: This isn't what the BOG says at all. See below. You can have a CNAME
+ that points to some other RR type; in fact, all CNAMEs have to point
+ to other names (Canonical ones, hence the C in CNAME). What you
+ can't have is an MX that points to a CNAME. MX RR's that point to
+ names which have only CNAME RR's will not work in many cases, and
+ RFC 974 intimates that it's a bad idea:
+
+ Note that the algorithm to delete irrelevant RRs breaks if LOCAL has
+ a alias and the alias is listed in the MX records for REMOTE. (E.g.
+ REMOTE has an MX of ALIAS, where ALIAS has a CNAME of LOCAL). This
+ can be avoided if aliases are never used in the data section of MX
+ RRs.
+
+ Here's the relevant BOG snippet:
+
+ aliases {ttl} addr-class CNAME Canonical name
+ ucbmonet IN CNAME monet
+
+ The Canonical Name resource record, CNAME, speci-
+ fies an alias or nickname for the official, or
+ canonical, host name. This record should be the
+ only one associated with the alias name. All other
+ resource records should be associated with the
+ canonical name, not with the nickname. Any
+ resource records that include a domain name as
+ their value (e.g., NS or MX) must list the canoni-
+ cal name, not the nickname.
+
+------------------------------
+
+Date: Wed Mar 1 11:14:10 EST 1995
+Subject: Q5.6 - NS is a CNAME
+
+Q: Can I do this ? Is it legal ?
+
+ @ SOA (.........)
+ NS ns.host.this.domain.
+ NS second.host.another.domain.
+ ns CNAME third
+ third IN A xxx.xxx.xxx.xxx
+
+
+A: No. Only one RR type is allowed to refer, in its data field, to a
+ CNAME, and that's CNAME itself. So CNAMEs can refer to CNAMEs but
+ NSs and MXs cannot.
+
+ BIND 4.9.3 (Beta11 and later) explicitly syslogs this case rather than
+ simply failing as pre-4.9 servers did. Here's a current example:
+
+ Dec 7 00:52:18 gw named[17561]: \
+ "foobar.com IN NS" points to a CNAME (foobar.foobar.com)
+
+ Here is the reason why:
+
+ Nameservers are not required to include CNAME records in the
+ Additional Info section returned after a query. It's partly an
+ implementation decision and partly a part of the spec. The
+ algorithm described in RFC 1034 (pp24,25; info also in RFC 1035,
+ section 3.3.11, p 18) says 'Put whatever addresses are available
+ into the additional section, using glue RRs [if necessary]'.
+ Since NS records are speced to contain only primary names of
+ hosts, not CNAMEs, then there's no reason for algorithm to
+ mention them. If, on the other hand, it's decided to allow CNAMEs
+ in NS records (and indeed in other records) then there's no
+ reason that CNAME records might not be included along with A
+ records. The Additional Info section is intended for any
+ information that might be useful but which isn't strictly the
+ answer to the DNS query processed. It's an implementation
+ decision in as much as some servers used to follow CNAMEs in
+ NS references.
+
+
+------------------------------
+
+Date: Fri Dec 2 16:17:31 EST 1994
+Subject: Q5.7 - Nameserver forgets own A record
+
+
+Q: Lately, I've been having trouble with named 4.9.2 and 4.9.3.
+ Periodically, the nameserver will seem to "forget" its own A record,
+ although the other information stays intact. One theory I had was
+ that somehow a site that the nameserver was secondary for was
+ "corrupting" the A record somehow.
+
+A: This is invariably due to not removing ALL of the cached zones
+ when you moved to 4.9.X. Remove ALL cached zones and restart
+ your nameservers.
+
+ You get "ignoreds" because the primaries for the relevant zones are
+ running old versions of BIND which pass out more glue than is
+ required. named-xfer trims off this extra glue.
+
+------------------------------
+
+Date: Sun Dec 4 22:21:22 EST 1994
+Subject: Q5.8 - General problems (core dumps !)
+
+Q: I am running bind 4.9.3b9p1 on a DEC alpha OSF/1 V3.0 and have had it
+ core dump while in debug mode. The last lines printed to named.run
+ were [...]
+
+A: Paul Vixie says:
+
+ I'm always interested in hearing about cases where BIND dumps core.
+ However, I need a stack trace. Compile with -g and not -O (unless
+ you are using gcc and know what you are doing) and then when it
+ dumps core, get into dbx or gdb using the executable and the core
+ file and use "bt" to get a stack trace. Send it to me
+ <paul@vix.com> along with specific circumstances leading to or
+ surrounding the crash (test data, tail of the debug log, tail of the
+ syslog... whatever matters) and ideally you should save your core
+ dump for a day or so in case I have questions you can answer via
+ gdb/dbx.
+
+------------------------------
+
+Date: Mon Jan 2 14:19:22 EST 1995
+Subject: Q5.9 - malloc and DECstations
+
+We have replaced malloc on our DECstations with a malloc that is more
+compact in memory usage, and this helped the operation of bind a lot.
+The source is now available for anonymous ftp from
+
+ ftp://ftp.cs.wisc.edu/pub/misc/malloc.tar.gz
+
+
+------------------------------
+
+Date: Fri Apr 28 13:56:32 EDT 1995
+Subject: Q6 - Acknowledgements
+
+Listed in e-mail address alphabetical order, the following people have
+contributed to this FAQ:
+
+Benoit.Grange@inria.fr (Benoit.Grange)
+D.T.Shield@csc.liv.ac.uk (Dave Shield)
+adam@comptech.demon.co.uk (Adam Goodfellow)
+andras@is.co.za (Andras Salamon)
+barmar@nic.near.net (Barry Margolin)
+barr@pop.psu.edu (David Barr)
+bj@herbison.com (B.J. Herbison)
+bje@cbr.fidonet.org (Ben Elliston)
+brad@birch.ims.disa.mil (Brad Knowles)
+ckd@kei.com (Christopher Davis)
+cdp@hertz.njit.edu (Chris Peckham)
+cricket@hp.com (Cricket Liu)
+cudep@csv.warwick.ac.uk (Ian 'Vato' Dickinson [ID17])
+dparter@cs.wisc.edu (David Parter)
+e07@nikhef.nl (Eric Wassenaar)
+fwp@CC.MsState.Edu (Frank Peters)
+gah@cco.caltech.edu (Glen A. Herrmannsfeldt)
+glenn@popco.com (Glenn Fleishman)
+harvey@indyvax.iupui.edu (James Harvey)
+hubert@cac.washington.edu (Steve Hubert)
+jmalcolm@uunet.uu.net (Joseph Malcolm)
+jhawk@panix.com (John Hawkinson)
+kevin@cfc.com (Kevin Darcy)
+lamont@abstractsoft.com (Sean T. Lamont)
+lavondes@tidtest.total.fr (Michel Lavondes)
+mark@ucsalf.ac.uk (Mark Powell)
+marka@syd.dms.CSIRO.AU (Mark Andrews)
+mathias@unicorn.swi.com.sg (Mathias Koerber)
+mjo@iao.ford.com (Mike O'Connor)
+nick@flapjack.ieunet.ie (Nick Hilliard)
+patrick@oes.amdahl.com (Patrick J. Horgan)
+ph10@cus.cam.ac.uk (Philip Hazel)
+rv@seins.Informatik.Uni-Dortmund.DE (Ruediger Volk)
+shields@tembel.org (Michael Shields)
+tanner@george.arc.nasa.gov (Rob Tanner)
+vixie@vix.com (Paul A Vixie)
+wag@swl.msd.ray.com (William Gianopoulos {84718})
+whg@inel.gov (Bill Gray)
+wolf@pasteur.fr (Christophe Wolfhugel)
+
+Thank you !
+
diff --git a/contrib/bind/doc/misc/IPv6 b/contrib/bind/doc/misc/IPv6
new file mode 100644
index 0000000..49fc3f5
--- /dev/null
+++ b/contrib/bind/doc/misc/IPv6
@@ -0,0 +1,72 @@
+IPv6 notes for BIND 4.9.3 Patch 2 Candidate 5 (and later?)
+Paul Vixie, May 20, 1996
+doc/misc/IPv6
+
+ *** Introduction ***
+
+The IPv6 support in this release is latent, in that its presence is not
+documented. The support is not optional, since its presence ought not to
+affect anyone who does not go looking for it. The support includes:
+
+ inet_ntop() new function.
+ inet_pton() new function.
+ RES_USE_INET6 causes gethostby*() to return either real IPv6
+ addresses (if available) or mapped (::FFFF:a.b.c.d)
+ addresses if only IPv4 address records are found.
+ gethostbyname() can search for T_AAAA in preference to T_A.
+ gethostbyaddr() can search in IP6.INT for PTR RR's.
+ named can load, transfer, cache, and dump T_AAAA RRs.
+
+ *** Some notes on the new functions ***
+
+The inet_pton() and inet_ntop() functions differ from the current (as of
+this writing) IPv6 BSD API draft. Discussions were held, primarily between
+myself and Rich Stevens, on the ipng@sunroof.eng.sun.com mailing list, and
+the BIND definitions of these functions are likely to go into the next draft.
+(If not, and BIND has to change its definitions of these functions, then you
+will know why I chose not to document them yet!)
+
+These functions can return error values, and as such the process of porting
+code that used inet_aton() to use inet_pton() is not just syntactic. Not all
+nonzero values indicate success; consider "-1". Likewise, inet_ntoa() is not
+just smaller than inet_ntop() -- it's a whole new approach. Inet_ntop() does
+not return a static pointer, the caller has to supply a sized buffer. Also,
+inet_ntop() can return NULL, so you should only printf() the result if you
+have verified that your arguments will be seen as error free.
+
+The inet_pton() function is much pickier about its input format than the old
+inet_aton() function has been. You can't abbreviate 10.0.0.53 as 10.53 any
+more. Hexadecimal isn't accepted. You have to supply four decimal numeric
+strings, each of whose value is within the range from 0 to 255. No spaces
+are allowed either before, after, or within an address. If you need the older
+functionality with all the shortcuts and exceptions, continue using inet_aton()
+for your IPv4 address parsing needs.
+
+ *** Some notes on RES_USE_INET6 ***
+
+You can set this by modifying _res.options after calling res_init(), or you
+can turn it on globally by setting "options inet6" in /etc/resolv.conf. This
+latter option ought to be used carefully, since _all_ applications will then
+receive IPv6 style h_addr_list's from their gethostby*() calls. Once you know
+that every application on your system can cope with IPv6 addressing, it is safe
+and reasonable to turn on the global option. Otherwise, don't do it.
+
+ *** Some notes on mapped IPv4 addresses ***
+
+There are two IPv6 prefixes set aside for IPv4 address encapsulation. See
+RFC 1884 for a detailed explaination. The ::a.b.c.d form is used for
+tunnelling, which means wrapping an IPv4 header around IPv6 packets and using
+the existing IPv4 routing infrastructure to reach what are actually IPv6
+endpoints. The ::FFFF:a.b.c.d form can be used on dual-stack (IPv4 and IPv6)
+hosts to signal a predominantly IPv6 stack that it should use ``native'' IPv4
+to reach a given destination, even though the socket's address family is
+AF_INET6.
+
+BIND supports both of these address forms, to the extent that inet_pton() will
+parse them, inet_ntop() will generate them, gethostby*() will map IPv4 into
+IPv6 if the RES_USE_INET6 option is set, and gethostbyaddr() will search the
+IN-ADDR.ARPA domain rather than the IP6.INT domain when it needs a PTR RR.
+This last bit of behaviour is still under discussion and it's not clear that
+tunnelled addresses should be mapped using IN-ADDR.ARPA. In other words, this
+bit of behaviour may change in a subsequent BIND release. So now you know
+another reason why none of this stuff is ``officially'' documented.
diff --git a/contrib/bind/doc/misc/dns-setup b/contrib/bind/doc/misc/dns-setup
new file mode 100644
index 0000000..19f0197
--- /dev/null
+++ b/contrib/bind/doc/misc/dns-setup
@@ -0,0 +1,1081 @@
+ Setting up a basic DNS server for a domain
+ Revision 1.1.1
+
+ Craig Richmond
+ craig@ecel.uwa.edu.au
+ 15th August 1993
+
+
+About this document
+
+I have written this file because it seems that the same questions seem to
+pop up time and time again and when I had to install DNS from scratch the
+first time, we found very little to help us.
+
+This document covers setting up a Domain Name Server with authority over
+your domain and using a few of the more useful but less well known
+(hopefully this document will take care of that) features of nslookup to
+get information about the DNS and to work out why yours isn't working.
+
+If you are using a Sun Workstation and you want to make NIS interact with
+the DNS, then this is not the FAQ for you (but it may well be when you try
+to set up the DNS). Mark J. McIntosh <Mark.McIntosh@engr.UVic.CA> points
+out that it is included in the comp.sys.sun.admin FAQ and for the benefit
+of those of you who can't get that (it is posted in comp.sys.sun.admin,
+comp.sys.sun.misc, comp.unix.solaris, comp.answers and news.answers) I have
+included the relevant parts at the bottom in appendix C.
+
+Contents:
+
+ Contents
+ An Overview of the DNS
+ Installing the DNS
+ *The Boot File
+ *The Cache File
+ *The Forward Mapping File
+ *The Reverse Mapping File
+ Delegating authority for domains within your domain
+ Troubleshooting your named
+ *Named doesn't work! What is wrong?
+ *I changed my named database and my local machine has noticed,
+ but nobody else has the new information?
+ *My local machine knows about all the name server information,
+ but no other sites know about me?
+ *My forward domain names work, but the backward names do not?
+ How to get useful information from nslookup
+ *Getting number to name mappings.
+ *Finding where mail goes when a machine has no IP number.
+ *Getting a list of machines in a domain from nslookup.
+ Appendicies
+ *Appendix A sample root.cache file
+ *Appendix B Excerpt from RFC 1340 - Assigned Numbers - July 1992
+ *Appendix C Installing DNS on a Sun when running NIS
+
+
+An Overview of the DNS:
+
+The Domain Name System is the software that lets you have name to number
+mappings on your computers. The name decel.ecel.uwa.edu.au is the number
+130.95.4.2 and vice versa. This is achieved through the DNS. The DNS is a
+heirarchy. There are a small number of root domain name servers that are
+responsible for tracking the top level domains and who is under them. The
+root domain servers between them know about all the people who have name
+servers that are authoritive for domains under the root.
+
+Being authoritive means that if a server is asked about something in that
+domain, it can say with no ambiguity whether or not a given piece of
+information is true. For example. We have domains x.z and y.z. There are
+by definition authoritive name servers for both of these domains and we
+shall assume that the name server in both of these cases is a machine
+called nic.x.z and nic.y.z but that really makes no difference.
+
+If someone asks nic.x.z whether there is a machine called a.x.z, then
+nic.x.z can authoritively say, yes or no because it is the authoritive name
+server for that domain. If someone asks nic.x.z whether there is a machine
+called a.y.z then nic.x.z asks nic.y.z whether such a machine exists (and
+caches this for future requests). It asks nic.y.z because nic.y.z is the
+authoritive name server for the domain y.z. The information about
+authoritive name servers is stored in the DNS itself and as long as you
+have a pointer to a name server who is more knowledgable than yourself then
+you are set.
+
+When a change is made, it propogates slowly out through the internet to
+eventually reach all machines. The following was supplied by Mark Andrews
+Mark.Andrews@syd.dms.csiro.au.
+
+ If both the primary and all secondaries are up and talking when
+ a zone update occurs and for the refresh period after the
+ update the old data will live for max(refresh + mininum)
+ average (refresh/2 +mininum) for the zone. New information will
+ be available from all servers after refresh.
+
+So with a refresh of 3 hours and a minimum of a day, you can expect
+everything to be working a day after it is changed. If you have a longer
+minimum, it may take a couple of days before things return to normal.
+
+There is also a difference between a zone and a domain. The domain is the
+entire set of machines that are contained within an organisational domain
+name. For example, the domain uwa.edu.au contains all the machines at the
+University of Western Australia. A Zone is the area of the DNS for which a
+server is responsible. The University of Western Australia is a large
+organisation and trying to track all changes to machines at a central
+location would be difficult. The authoritive name server for the zone
+uwa.edu.au delegates the authority for the zone ecel.uwa.edu.au to
+decel.ecel.uwa.edu.au. Machine foo.ecel.uwa.edu.au is in the zone that
+decel is authoritive for. Machine bar.uwa.edu.au is in the zone that
+uniwa.uwa.edu.au is authoritive for.
+
+Installing the DNS:
+
+First I'll assume you already have a copy of the Domain Name Server
+software. It is probably called named or in.named depending on your
+flavour of unix. I never had to get a copy, but if anyone thinks that
+information should be here then by all means tell me and I'll put it in.
+If you intend on using the package called Bind, then you should be sure
+that you get version 4.9, which is the most recent version at this point in
+time.
+
+The Boot File:
+
+First step is to create the file named.boot. This describes to named
+(we'll dispense with the in.named. Take them to be the same) where the
+information that it requires can be found. This file is normally found in
+/etc/named.boot and I personally tend to leave it there because then I know
+where to find it. If you don't want to leave it there but place it in a
+directory with the rest of your named files, then there is usually an
+option on named to specify the location of the boot file.
+
+Your typical boot file will look like this if you are an unimportant leaf
+node and there are other name servers at your site.
+
+directory /etc/namedfiles
+
+cache . root.cache
+primary ecel.uwa.edu.au ecel.uwa.domain
+primary 0.0.127.in-addr.arpa 0.0.127.domain
+primary 4.95.130.in-addr.arpa 4.95.130.domain
+forwarders 130.95.128.1
+
+Here is an alternative layout used by Christophe Wolfhugel
+<Christophe.Wolfhugel@grasp.insa-lyon.fr> He finds this easier because of
+the large number of domains he has. The structure is essentially the same,
+but the file names use the domain name rather than the IP subnet to
+describe the contents.
+
+directory /usr/local/etc/bind
+cache . p/root
+;
+; Primary servers
+;
+primary fr.net p/fr.net
+primary frmug.fr.net p/frmug.fr.net
+primary 127.in-addr.arpa p/127
+;
+; Secondary servers
+;
+secondary ensta.fr 147.250.1.1 s/ensta.fr
+secondary gatelink.fr.net 134.214.100.1 s/gatelink.fr.net
+secondary insa-lyon.fr 134.214.100.1 s/insa-lyon.fr
+secondary loesje.org 145.18.226.21 s/loesje.org
+secondary nl.loesje.org 145.18.226.21 s/nl.loesje.org
+secondary pcl.ac.uk 161.74.160.5 s/pcl.ac.uk
+secondary univ-lyon1.fr 134.214.100.1 s/univ-lyon1.fr
+secondary wmin.ac.uk 161.74.160.5 s/wmin.ac.uk
+secondary westminster.ac.uk 161.74.160.5 s/westminster.ac.uk
+;
+;
+; Secondary for addresses
+;
+secondary 74.161.in-addr.arpa 161.74.160.5 s/161.74
+secondary 214.134.in-addr.arpa 134.214.100.1 s/134.214
+secondary 250.147.in-addr.arpa 147.250.1.1 s/147.250
+;
+; Classes C
+;
+secondary 56.44.192.in-addr.arpa 147.250.1.1 s/192.44.56
+secondary 57.44.192.in-addr.arpa 147.250.1.1 s/192.44.57
+
+The lines in the named.boot file have the following meanings.
+
+directory
+
+This is the path that named will place in front of all file names
+referenced from here on. If no directory is specified, it looks for files
+relative to /etc.
+
+cache
+
+This is the information that named uses to get started. Named must know
+the IP number of some other name servers at least to get started.
+Information in the cache is treated differently depending on your version
+of named. Some versions of named use the information included in the cache
+permenantly and others retain but ignore the cache information once up and
+running.
+
+primary
+
+This is one of the domains for which this machine is authorative for. You
+put the entire domain name in. You need forwards and reverse lookups. The
+first value is the domain to append to every name included in that file.
+(There are some exceptions, but they will be explained later) The name at
+the end of the line is the name of the file (relative to /etc of the
+directory if you specified one). The filename can have slashes in it to
+refer to subdirectories so if you have a lot of domains you may want to
+split it up.
+
+BE VERY CAREFUL TO PUT THE NUMBERS BACK TO FRONT FOR THE REVERSE LOOK UP
+FILE. The example given above is for the subnet ecel.uwa.edu.au whose IP
+address is 130.95.4.*. The reverse name must be 4.95.130.in-addr.arpa.
+It must be backwards and it must end with .in-addr.arpa. If your reverse
+name lookups don't work, check this. If they still don't work, check this
+again.
+
+forwarders
+
+This is a list of IP numbers for forward requests for sites about which we
+are unsure. A good choice here is the name server which is authoritive for
+the zone above you.
+
+secondary (This line is not in the example, but is worth mentioning.)
+
+A secondary line indicates that you wish to be a secondary name server for
+this domain. You do not need to do this usually. All it does is help make
+the DNS more robust. You should have at least one secondary server for
+your site, but you do not need to be a secondary server for anyone else.
+You can by all means, but you don't need to be. If you want to be a
+secondary server for another domain, then place the line
+
+secondary gu.uwa.edu.au 130.95.100.3 130.95.128.1
+
+in your named.boot. This will make your named try the servers on both of
+the machines specified to see if it can obtain the information about those
+domains. You can specify a number of IP addresses for the machines to
+query that probably depends on your machine. Your copy of named will upon
+startup go and query all the information it can get about the domain in
+question and remember it and act as though it were authoritive for that
+domain.
+
+Next you will want to start creating the data files that contain the name
+definitions.
+
+The cache file:
+
+You can get a copy of the cache file from FTP.RS.INTERNIC.NET. The current
+copy can be found in Appendix A.
+
+The Forward Mapping file:
+The file ecel.uwa.edu.au. will be used for the example with a couple of
+machines left in for the purpose of the exercise. Here is a copy of what
+the file looks like with explanations following.
+
+; Authoritative data for ecel.uwa.edu.au
+;
+@ IN SOA decel.ecel.uwa.edu.au. postmaster.ecel.uwa.edu.au. (
+ 93071200 ; Serial (yymmddxx)
+ 10800 ; Refresh 3 hours
+ 3600 ; Retry 1 hour
+ 3600000 ; Expire 1000 hours
+ 86400 ) ; Minimum 24 hours
+ IN A 130.95.4.2
+ IN MX 100 decel
+ IN MX 150 uniwa.uwa.edu.au.
+ IN MX 200 relay1.uu.net.
+ IN MX 200 relay2.uu.net.
+
+localhost IN A 127.0.0.1
+
+decel IN A 130.95.4.2
+ IN HINFO SUN4/110 UNIX
+ IN MX 100 decel
+ IN MX 150 uniwa.uwa.edu.au.
+ IN MX 200 relay1.uu.net
+ IN MX 200 relay2.uu.net
+
+gopher IN CNAME decel.ecel.uwa.edu.au.
+
+accfin IN A 130.95.4.3
+ IN HINFO SUN4/110 UNIX
+ IN MX 100 decel
+ IN MX 150 uniwa.uwa.edu.au.
+ IN MX 200 relay1.uu.net
+ IN MX 200 relay2.uu.net
+
+chris-mac IN A 130.95.4.5
+ IN HINFO MAC-II MACOS
+
+The comment character is ';' so the first two lines are just comments
+indicating the contents of the file.
+
+All values from here on have IN in them. This indicates that the value is
+an InterNet record. There are a couple of other types, but all you need
+concern yourself with is internet ones.
+
+The SOA record is the Start Of Authority record. It contains the
+information that other nameservers will learn about this domain and how to
+treat the information they are given about it. The '@' as the first
+character in the line indicates that you wish to define things about the
+domain for which this file is responsible. The domain name is found in the
+named.boot file in the corresponding line to this filename. All
+information listed refers to the most recent machine/domain name so all
+records from the '@' until 'localhost' refer to the '@'. The SOA record
+has 5 magic numbers. First magic number is the serial number. If you
+change the file, change the serial number. If you don't, no other name
+servers will update their information. The old information will sit around
+for a very long time.
+
+Refresh is the time between refreshing information about the SOA (correct
+me if I am wrong). Retry is the frequency of retrying if an authorative
+server cannot be contacted. Expire is how long a secondary name server
+will keep information about a zone without successfully updating it or
+confirming that the data is up to date. This is to help the information
+withstand fairly lengthy downtimes of machines or connections in the
+network without having to recollect all the information. Minimum is the
+default time to live value handed out by a nameserver for all records in
+a zone without an explicit TTL value. This is how long the data will live
+after being handed out. The two pieces of information before the 5 magic
+numbers are the machine that is considered the origin of all of this
+information. Generally the machine that is running your named is a good
+one for here. The second is an email address for someone who can fix any
+problems that may occur with the DNS. Good ones here are postmaster,
+hostmaster or root. NOTE: You use dots and not '@' for the email address.
+
+eg root.decel.ecel.uwa.edu.au is correct
+ and
+ root@decel.ecel.uwa.edu.au is incorrect.
+
+We now have an address to map ecel.uwa.edu.au to. The address is
+130.95.4.2 which happens to be decel, our main machine. If you try to find
+an IP number for the domain ecel.uwa.edu.au it will get you the machine
+decel.ecel.uwa.edu.au's IP number. This is a nicety which means that
+people who have non-MX record mailers can still mail fred@ecel.uwa.edu.au
+and don't have to find the name of a machine name under the domain to mail.
+
+Now we have a couple of MX records for the domain itself. The MX records
+specify where to send mail destined for the machine/domain that the MX
+record is for. In this case we would prefer if all mail for
+fred@ecel.uwa.edu.au is sent to decel.ecel.uwa.edu.au. If that does not
+work, we would like it to go to uniwa.uwa.edu.au because there are a number
+of machines that might have no idea how to get to us, but may be able to get
+to uniwa. And failing that, try the site relay1.uu.net. A small number
+indicates that this site should be tried first. The larget the number the
+further down the list of sites to try the site is. NOTE: Not all machines
+have mailers that pay attention to MX records. Some only pay attention to
+IP numbers, which is really stupid. All machines are required to have
+MX-capable Mail Transfer Agents (MTA) as there are many addresses that can
+only be reached via this means.
+
+There is an entry for localhost now. Note that this is somewhat of a
+kludge and should probably be handled far more elegantly. By placing
+localhost here, a machine comes into existance called
+localhost.ecel.uwa.edu.au. If you finger it, or telnet to it, you get your
+own machine, because the name lookup returns 127.0.0.1 which is the special
+case for your own machine. I have used a couple of different DNS packages.
+The old BSD one let you put things into the cache which would always work,
+but would not be exported to other nameservers. In the newer Sun one, they
+are left in the cache and are mostly ignored once named is up and running.
+This isn't a bad solution, its just not a good one.
+
+Decel is the main machine in our domain. It has the IP number 130.95.4.2
+and that is what this next line shows. It also has a HINFO entry. HINFO
+is Host Info which is meant to be some sort of an indication of what the
+machine is and what it runs. The values are two white space seperated
+values. First being the hardware and second being the software. HINFO is
+not compulsory, its just nice to have sometimes. We also have some MX
+records so that mail destined for decel has some other avenues before it
+bounces back to the sender if undeliverable.
+
+It is a good idea to give all machines capable of handling mail an MX
+record because this can be cached on remote machines and will help to
+reduce the load on the network.
+
+gopher.ecel.uwa.edu.au is the gopher server in our division. Now because
+we are cheapskates and don't want to go and splurge on a seperate machine
+just for handling gopher requests we have made it a CNAME to our main
+machine. While it may seem pointless it does have one main advantage.
+When we discover that our placing terrabytes of popular quicktime movies
+on our gopher server (no we haven't and we don't intend to) causes an
+unbearable load on our main machine, we can quickly move the CNAME to
+point at a new machine by changing the name mentioned in the CNAME. Then
+the slime of the world can continue to get their essential movies with a
+minimal interuption to the network. Other good CNAMEs to maintain are
+things like ftp, mailhost, netfind, archie, whois, and even dns (though the
+most obvious use for this fails). It also makes it easier for people to
+find these services in your domain.
+
+We should probably start using WKS records for things like gopher and whois
+rather than making DNS names for them. The tools are not in wide
+circulation for this to work though. (Plus all those comments in many DNS
+implementation of "Not implemented" next to the WKS record)
+
+Finally we have a macintosh which belongs to my boss. All it needs is an
+IP number, and we have included the HINFO so that you can see that it is in
+fact a macII running a Mac System. To get the list of preferred values,
+you should get a copy of RFC 1340. It lists lots of useful information
+such as /etc/services values, ethernet manufacturer hardware addresses,
+HINFO defualts and many others. I will include the list as it stands at
+the moment, but if any RFC superceeds 1340, then it will have a more
+complete list. See Appendix B for that list.
+
+NOTE: If Chris had a very high profile and wanted his mac to appear like a
+fully connected unix machine as far as internet services were concerned, he
+could simply place an MX record such as
+
+ IN MX 100 decel
+
+after his machine and any mail sent to chris@chris-mac.ecel.uwa.edu.au
+would be automatically rerouted to decel.
+
+The Reverse Mapping File
+
+The reverse name lookup is handled in a most bizarre fashion. Well it all
+makes sense, but it is not immediately obvious.
+
+All of the reverse name lookups are done by finding the PTR record
+associated with the name w.x.y.z.in-addr.arpa. So to find the name
+associated with the IP number 1.2.3.4, we look for information stored in
+the DNS under the name 4.3.2.1.in-addr.arpa. They are organised this way
+so that when you are allocated a B class subnet for example, you get all of
+the IP numbers in the domain 130.95. Now to turn that into a reverse name
+lookup domain, you have to invert the numbers or your registered domains
+will be spread all over the place. It is a mess and you need not understand
+the finer points of it all. All you need to know is that you put the
+reverse name lookup files back to front.
+
+Here is the sample reverse name lookup files to go with our example.
+
+0.0.127.in-addr.arpa
+--
+; Reverse mapping of domain names 0.0.127.in-addr.arpa
+; Nobody pays attention to this, it is only so 127.0.0.1 -> localhost.
+@ IN SOA decel.ecel.uwa.edu.au. postmaster.ecel.uwa.edu.au. (
+ 91061801 ; Serial (yymmddxx)
+ 10800 ; Refresh 3 hours
+ 3600 ; Retry 1 hour
+ 3600000 ; Expire 1000 hours
+ 86400 ) ; Minimum 24 hours
+;
+1 IN PTR localhost.ecel.uwa.edu.au.
+--
+
+4.95.130.in-addr.arpa
+--
+; reverse mapping of domain names 4.95.130.in-addr.arpa
+;
+@ IN SOA decel.ecel.uwa.edu.au. postmaster.ecel.uwa.edu.au. (
+ 92050300 ; Serial (yymmddxx format)
+ 10800 ; Refresh 3hHours
+ 3600 ; Retry 1 hour
+ 3600000 ; Expire 1000 hours
+ 86400 ) ; Minimum 24 hours
+2 IN PTR decel.ecel.uwa.edu.au.
+3 IN PTR accfin.ecel.uwa.edu.au.
+5 IN PTR chris-mac.ecel.uwa.edu.au.
+--
+
+It is important to remember that you must have a second start of authority
+record for the reverse name lookups. Each reverse name lookup file must
+have its own SOA record. The reverse name lookup on the 127 domain is
+debatable seeing as there is likely to be only one number in the file and
+it is blatantly obvious what it is going to map to.
+
+The SOA details are the same as in the forward mapping.
+
+Each of the numbers listed down the left hand side indicates that the line
+contains information for that number of the subnet. Each of the subnets
+must be the more significant digits. eg the 130.95.4 of an IP number
+130.95.4.2 is implicit for all numbers mentioned in the file.
+
+The PTR must point to a machine that can be found in the DNS. If the name
+is not in the DNS, some versions of named just bomb out at this point.
+
+Reverse name lookups are not compulsory, but nice to have. It means that
+when people log into machines, they get names indicating where they are
+logged in from. It makes it easier for you to spot things that are wrong
+and it is far less cryptic than having lots of numbers everywhere. Also if
+you do not have a name for your machine, some brain dead protocols such as
+talk will not allow you to connect.
+
+Since I had this I had one suggestion of an alternative way to do the
+localhost entry. I think it is a matter of personal opinion so I'll
+include it here in case anyone things that this is a more appropriate
+method.
+
+The following is courtesy of jep@convex.nl (JEP de Bie)
+
+ The way I did it was:
+
+ 1) add in /etc/named.boot:
+
+ primary . localhost
+ primary 127.in-addr.ARPA. IP127
+
+(Craig: It has been suggested by Mark Andrews that this is a bad practice
+ particularly if you have upgraded to Bind 4.9. You also run the risk of
+ polluting the root name servers. This comes down to a battle of idealogy
+ and practicality. Think twice before declaring yourself authorative for
+ the root domain.)
+
+ So I not only declare myself (falsely? - probably, but nobody is going to
+ listen anyway most likely [CPR]:-) athorative in the 127.in-addr.ARPA domain
+ but also in the . (root) domain.
+
+ 2) the file localhost has:
+
+ $ORIGIN .
+ localhost IN A 127.0.0.1
+
+ 3) and the file IP127:
+
+ $ORIGIN 127.in-addr.ARPA.
+ 1.0.0 IN PTR localhost.
+
+ 4) and I have in my own domain file (convex.nl) the line:
+
+ $ORIGIN convex.nl.
+ localhost IN CNAME localhost.
+
+ The advantage (elegancy?) is that a query (A) of localhost. gives the
+ reverse of the query of 1.0.0.127.in-addr.ARPA. And it also shows that
+ localhost.convex.nl is only a nickname to something more absolute.
+ (While the notion of localhost is of course relative :-)).
+
+ And I also think there is a subtle difference between the lines
+
+ primary 127.in-addr.ARPA. IP127
+ and
+ primary 0.0.127.in-addr.ARPA. 4.95.130.domain
+ =============
+ JEP de Bie
+ jep@convex.nl
+ =============
+
+
+
+Delegating authority for domains within your domain:
+
+When you start having a very big domain that can be broken into logical and
+seperate entities that can look after their own DNS information, you will
+probably want to do this. Maintain a central area for the things that
+everyone needs to see and delegate the authority for the other parts of the
+organisation so that they can manage themselves.
+
+Another essential piece of information is that every domain that exists
+must have it NS records associated with it. These NS records denote the
+name servers that are queried for information about that zone. For your
+zone to be recognised by the outside world, the server responsible for the
+zone above you must have created a NS record for your machine in your
+domain. For example, putting the computer club onto the network and giving
+them control over their own part of the domain space we have the following.
+
+The machine authorative for gu.uwa.edu.au is mackerel and the machine
+authorative for ucc.gu.uwa.edu.au is marlin.
+
+in mackerel's data for gu.uwa.edu.au we have the following
+
+@ IN SOA ...
+ IN A 130.95.100.3
+ IN MX mackerel.gu.uwa.edu.au.
+ IN MX uniwa.uwa.edu.au.
+
+marlin IN A 130.95.100.4
+
+ucc IN NS marlin.gu.uwa.edu.au.
+ IN NS mackerel.gu.uwa.edu.au.
+
+Marlin is also given an IP in our domain as a convenience. If they blow up
+their name serving there is less that can go wrong because people can still
+see that machine which is a start. You could place "marlin.ucc" in the
+first column and leave the machine totally inside the ucc domain as well.
+
+The second NS line is because mackerel will be acting as secondary name
+server for the ucc.gu domain. Do not include this line if you are not
+authorative for the information included in the sub-domain.
+
+
+Troubleshooting your named:
+
+Named doesn't work! What is wrong?
+
+Step 1: Run nslookup and see what nameserver it tries to connect you to.
+If nslookup connects you to the wrong nameserver, create a /etc/resolv.conf
+file that points your machine at the correct nameserver. If there is no
+resolv.conf file, the the resolver uses the nameserver on the local
+machine.
+
+Step 2: Make sure that named is actually running.
+
+Step 3: Restart named and see if you get any error messages on the
+console and in also check /usr/adm/messages.
+
+Step 4: If named is running, nslookup connects to the appropriate
+nameserver and nslookup can answer simple questions, but other programs
+such as 'ping' do not work with names, then you need to install resolv+
+most likely.
+
+
+I changed my named database and my local machine has noticed, but nobody
+else has the new information?
+
+Change the serial number in the SOA for any domains that you modified and
+restart named. Wait an hour and check again. The information propogates
+out. It won't change immediately.
+
+
+My local machine knows about all the name server information, but no other
+sites know about me?
+
+Find an upstream nameserver (one that has an SOA for something in your
+domain) and ask them to be a secondary name server for you. eg if you are
+ecel.uwa.edu.au, ask someone who has an SOA for the domain uwa.edu.au.
+Get NS records (and glue) added to your parent zone for your zone. This is
+called delegating. It should be done formally like this or you will get
+inconsistant answers out of the DNS. ALL NAMSERVERS FOR YOUR ZONE SHOULD
+BE LISTED IN THIS MANNER.
+
+
+My forward domain names work, but the backward names do not?
+
+Make sure the numbers are back to front and have the in-addr.arpa on the
+end.
+Make sure you reverse zone is registered. For Class C nets this can be done
+by mailing to hostmaster@internic.net. For class A & B nets make sure that
+you are registeres with the primary for your net and that the net itself
+is registered with hostmaster@internic.net.
+
+
+How to get useful information from nslookup:
+
+Nslookup is a very useful program but I'm sure there are less than 20
+people worldwide who know how to use it to its full usefulness. I'm most
+certainly not one of them. If you don't like using nslookup, there is at
+least one other program called dig, that has most/all(?) of the
+functionality of nslookup and is a hell of a lot easier to use.
+
+I won't go into dig much here except to say that it is a lot easier to get
+this information out of. I won't bother because nslookup ships with almost
+all machines that come with network software.
+
+To run nslookup, you usually just type nslookup. It will tell you the
+server it connects to. You can specify a different server if you want.
+This is useful when you want to tell if your named information is
+consistent with other servers.
+
+Getting name to number mappings.
+
+Type the name of the machine. Typing 'decel' is enough if the machine is
+local.
+
+(Once you have run nslookup successfully)
+> decel
+Server: ecel.uwa.edu.au
+Address: 130.95.4.2
+
+Name: decel.ecel.uwa.edu.au
+Address: 130.95.4.2
+
+>
+
+One curious quirk of some name resolvers is that if you type a
+machine name, they will try a number of permutations. For example if my
+machine is in the domain ecel.uwa.edu.au and I try to find a machine
+called fred, the resolver will try the following.
+
+ fred.ecel.uwa.edu.au.
+ fred.uwa.edu.au.
+ fred.edu.au.
+ fred.au.
+ fred.
+
+This can be useful, but more often than not, you would simply prefer a good
+way to make aliases for machines that are commonly referenced. If you are
+running resolv+, you should just be able to put common machines into the
+host file.
+
+DIG: dig <machine name>
+
+Getting number to name mappings.
+
+Nslookup defaults to finding you the Address of the name specified. For
+reverse lookups you already have the address and you want to find the
+name that goes with it. If you read and understood the bit above where it
+describes how to create the number to name mapping file, you would guess
+that you need to find the PTR record instead of the A record. So you do
+the following.
+
+> set type=ptr
+> 2.4.95.130.in-addr.arpa
+Server: decel.ecel.uwa.edu.au
+Address: 130.95.4.2
+
+2.4.95.130.in-addr.arpa host name = decel.ecel.uwa.edu.au
+>
+
+nslookup tells you that the ptr for the machine name
+2.4.95.130.in-addr.arpa points to the host decel.ecel.uwa.edu.au.
+
+DIG: dig -x <machine number>
+
+Finding where mail goes when a machine has no IP number.
+
+When a machine is not IP connected, it needs to specify to the world, where
+to send the mail so that it can dial up and collect it every now and then.
+This is accomplished by setting up an MX record for the site and not giving
+it an IP number. To get the information out of nslookup as to where the
+mail goes, do the following.
+
+> set type=mx
+> dialix.oz.au
+Server: decel.ecel.uwa.oz.au
+Address: 130.95.4.2
+
+Non-authoritative answer:
+dialix.oz.au preference = 100, mail exchanger = uniwa.uwa.OZ.AU
+dialix.oz.au preference = 200, mail exchanger = munnari.OZ.AU
+Authoritative answers can be found from:
+uniwa.uwa.OZ.AU inet address = 130.95.128.1
+munnari.OZ.AU inet address = 128.250.1.21
+munnari.OZ.AU inet address = 192.43.207.1
+mulga.cs.mu.OZ.AU inet address = 128.250.35.21
+mulga.cs.mu.OZ.AU inet address = 192.43.207.2
+dmssyd.syd.dms.CSIRO.AU inet address = 130.155.16.1
+ns.UU.NET inet address = 137.39.1.3
+
+You tell nslookup that you want to search for mx records and then you give
+it the name of the machine. It tells you the preference for the mail
+(small means more preferable), and who the mail should be sent to. It also
+includes sites that are authorative (have this name in their named database
+files) for this MX record. There are multiple sites as a backup. As can
+be seen, our local public internet access company dialix would like all of
+their mail to be sent to uniwa, where they collect it from. If uniwa is
+not up, send it to munnari and munnari will get it to uniwa eventually.
+
+NOTE: For historical reasons Australia used to be .oz which was changed to
+.oz.au to move to the ISO standard extensions upon the advent of IP. We
+are now moving to a more normal heirarchy which is where the .edu.au comes
+from. Pity, I liked having oz.
+
+DIG: dig <zone> mx
+
+Getting a list of machines in a domain from nslookup.
+
+Find a server that is authorative for the domain or just generally all
+knowing. To find a good server, find all the soa records for a given
+domain. To do this, you set type=soa and enter the domain just like in the
+two previous examples.
+
+Once you have a server type
+
+> ls gu.uwa.edu.au.
+[uniwa.uwa.edu.au]
+Host or domain name Internet address
+ gu server = mackerel.gu.uwa.edu.au
+ gu server = uniwa.uwa.edu.au
+ gu 130.95.100.3
+ snuffle-upagus 130.95.100.131
+ mullet 130.95.100.2
+ mackerel 130.95.100.3
+ marlin 130.95.100.4
+ gugate 130.95.100.1
+ gugate 130.95.100.129
+ helpdesk 130.95.100.180
+ lan 130.95.100.0
+ big-bird 130.95.100.130
+
+To get a list of all the machines in the domain.
+
+If you wanted to find a list of all of the MX records for the domain, you
+can put a -m flag in the ls command.
+
+> ls -m gu.uwa.edu.au.
+[uniwa.uwa.edu.au]
+Host or domain name Metric Host
+ gu 100 mackerel.gu.uwa.edu.au
+ gu 200 uniwa.uwa.edu.au
+
+This only works for a limited selection of the different types.
+
+DIG: dig axfr <zone> @<server>
+
+
+
+Appendix A
+
+
+;
+; This file holds the information on root name servers needed to
+; initialize cache of Internet domain name servers
+; (e.g. reference this file in the "cache . <file>"
+; configuration file of BIND domain name servers).
+;
+; This file is made available by InterNIC registration services
+; under anonymous FTP as
+; file /domain/named.root
+; on server FTP.RS.INTERNIC.NET
+; -OR- under Gopher at RS.INTERNIC.NET
+; under menu InterNIC Registration Services (NSI)
+; submenu InterNIC Registration Archives
+; file named.root
+;
+; last update: April 21, 1993
+; related version of root zone: 930421
+;
+. 99999999 IN NS NS.INTERNIC.NET.
+NS.INTERNIC.NET. 99999999 A 198.41.0.4
+. 99999999 NS KAVA.NISC.SRI.COM.
+KAVA.NISC.SRI.COM. 99999999 A 192.33.33.24
+. 99999999 NS C.NYSER.NET.
+C.NYSER.NET. 99999999 A 192.33.4.12
+. 99999999 NS TERP.UMD.EDU.
+TERP.UMD.EDU. 99999999 A 128.8.10.90
+. 99999999 NS NS.NASA.GOV.
+NS.NASA.GOV. 99999999 A 128.102.16.10
+ 99999999 A 192.52.195.10
+. 99999999 NS NS.NIC.DDN.MIL.
+NS.NIC.DDN.MIL. 99999999 A 192.112.36.4
+. 99999999 NS AOS.ARL.ARMY.MIL.
+AOS.ARL.ARMY.MIL. 99999999 A 128.63.4.82
+ 99999999 A 192.5.25.82
+. 99999999 NS NIC.NORDU.NET.
+NIC.NORDU.NET. 99999999 A 192.36.148.17
+; End of File
+
+
+Appendix B
+
+An Excerpt from
+RFC 1340 Assigned Numbers July 1992
+
+
+ MACHINE NAMES
+
+ These are the Official Machine Names as they appear in the Domain Name
+ System HINFO records and the NIC Host Table. Their use is described in
+ RFC-952 [53].
+
+ A machine name or CPU type may be up to 40 characters taken from the
+ set of uppercase letters, digits, and the two punctuation characters
+ hyphen and slash. It must start with a letter, and end with a letter
+ or digit.
+
+ ALTO DEC-1080
+ ALTOS-6800 DEC-1090
+ AMDAHL-V7 DEC-1090B
+ APOLLO DEC-1090T
+ ATARI-104ST DEC-2020T
+ ATT-3B1 DEC-2040
+ ATT-3B2 DEC-2040T
+ ATT-3B20 DEC-2050T
+ ATT-7300 DEC-2060
+ BBN-C/60 DEC-2060T
+ BURROUGHS-B/29 DEC-2065
+ BURROUGHS-B/4800 DEC-FALCON
+ BUTTERFLY DEC-KS10
+ C/30 DEC-VAX-11730
+ C/70 DORADO
+ CADLINC DPS8/70M
+ CADR ELXSI-6400
+ CDC-170 EVEREX-386
+ CDC-170/750 FOONLY-F2
+ CDC-173 FOONLY-F3
+ CELERITY-1200 FOONLY-F4
+ CLUB-386 GOULD
+ COMPAQ-386/20 GOULD-6050
+ COMTEN-3690 GOULD-6080
+ CP8040 GOULD-9050
+ CRAY-1 GOULD-9080
+ CRAY-X/MP H-316
+ CRAY-2 H-60/68
+ CTIWS-117 H-68
+ DANDELION H-68/80
+ DEC-10 H-89
+ DEC-1050 HONEYWELL-DPS-6
+ DEC-1077 HONEYWELL-DPS-8/70
+ HP3000 ONYX-Z8000
+ HP3000/64 PDP-11
+ IBM-158 PDP-11/3
+ IBM-360/67 PDP-11/23
+ IBM-370/3033 PDP-11/24
+ IBM-3081 PDP-11/34
+ IBM-3084QX PDP-11/40
+ IBM-3101 PDP-11/44
+ IBM-4331 PDP-11/45
+ IBM-4341 PDP-11/50
+ IBM-4361 PDP-11/70
+ IBM-4381 PDP-11/73
+ IBM-4956 PE-7/32
+ IBM-6152 PE-3205
+ IBM-PC PERQ
+ IBM-PC/AT PLEXUS-P/60
+ IBM-PC/RT PLI
+ IBM-PC/XT PLURIBUS
+ IBM-SERIES/1 PRIME-2350
+ IMAGEN PRIME-2450
+ IMAGEN-8/300 PRIME-2755
+ IMSAI PRIME-9655
+ INTEGRATED-SOLUTIONS PRIME-9755
+ INTEGRATED-SOLUTIONS-68K PRIME-9955II
+ INTEGRATED-SOLUTIONS-CREATOR PRIME-2250
+ INTEGRATED-SOLUTIONS-CREATOR-8 PRIME-2655
+ INTEL-386 PRIME-9955
+ INTEL-IPSC PRIME-9950
+ IS-1 PRIME-9650
+ IS-68010 PRIME-9750
+ LMI PRIME-2250
+ LSI-11 PRIME-750
+ LSI-11/2 PRIME-850
+ LSI-11/23 PRIME-550II
+ LSI-11/73 PYRAMID-90
+ M68000 PYRAMID-90MX
+ MAC-II PYRAMID-90X
+ MASSCOMP RIDGE
+ MC500 RIDGE-32
+ MC68000 RIDGE-32C
+ MICROPORT ROLM-1666
+ MICROVAX S1-MKIIA
+ MICROVAX-I SMI
+ MV/8000 SEQUENT-BALANCE-8000
+ NAS3-5 SIEMENS
+ NCR-COMTEN-3690 SILICON-GRAPHICS
+ NEXT/N1000-316 SILICON-GRAPHICS-IRIS
+ NOW SGI-IRIS-2400
+ SGI-IRIS-2500 SUN-3/50
+ SGI-IRIS-3010 SUN-3/60
+ SGI-IRIS-3020 SUN-3/75
+ SGI-IRIS-3030 SUN-3/80
+ SGI-IRIS-3110 SUN-3/110
+ SGI-IRIS-3115 SUN-3/140
+ SGI-IRIS-3120 SUN-3/150
+ SGI-IRIS-3130 SUN-3/160
+ SGI-IRIS-4D/20 SUN-3/180
+ SGI-IRIS-4D/20G SUN-3/200
+ SGI-IRIS-4D/25 SUN-3/260
+ SGI-IRIS-4D/25G SUN-3/280
+ SGI-IRIS-4D/25S SUN-3/470
+ SGI-IRIS-4D/50 SUN-3/480
+ SGI-IRIS-4D/50G SUN-4/60
+ SGI-IRIS-4D/50GT SUN-4/110
+ SGI-IRIS-4D/60 SUN-4/150
+ SGI-IRIS-4D/60G SUN-4/200
+ SGI-IRIS-4D/60T SUN-4/260
+ SGI-IRIS-4D/60GT SUN-4/280
+ SGI-IRIS-4D/70 SUN-4/330
+ SGI-IRIS-4D/70G SUN-4/370
+ SGI-IRIS-4D/70GT SUN-4/390
+ SGI-IRIS-4D/80GT SUN-50
+ SGI-IRIS-4D/80S SUN-100
+ SGI-IRIS-4D/120GTX SUN-120
+ SGI-IRIS-4D/120S SUN-130
+ SGI-IRIS-4D/210GTX SUN-150
+ SGI-IRIS-4D/210S SUN-170
+ SGI-IRIS-4D/220GTX SUN-386i/250
+ SGI-IRIS-4D/220S SUN-68000
+ SGI-IRIS-4D/240GTX SYMBOLICS-3600
+ SGI-IRIS-4D/240S SYMBOLICS-3670
+ SGI-IRIS-4D/280GTX SYMMETRIC-375
+ SGI-IRIS-4D/280S SYMULT
+ SGI-IRIS-CS/12 TANDEM-TXP
+ SGI-IRIS-4SERVER-8 TANDY-6000
+ SPERRY-DCP/10 TEK-6130
+ SUN TI-EXPLORER
+ SUN-2 TP-4000
+ SUN-2/50 TRS-80
+ SUN-2/100 UNIVAC-1100
+ SUN-2/120 UNIVAC-1100/60
+ SUN-2/130 UNIVAC-1100/62
+ SUN-2/140 UNIVAC-1100/63
+ SUN-2/150 UNIVAC-1100/64
+ SUN-2/160 UNIVAC-1100/70
+ SUN-2/170 UNIVAC-1160
+ UNKNOWN
+ VAX-11/725
+ VAX-11/730
+ VAX-11/750
+ VAX-11/780
+ VAX-11/785
+ VAX-11/790
+ VAX-11/8600
+ VAX-8600
+ WANG-PC002
+ WANG-VS100
+ WANG-VS400
+ WYSE-386
+ XEROX-1108
+ XEROX-8010
+ ZENITH-148
+
+ SYSTEM NAMES
+
+ These are the Official System Names as they appear in the Domain Name
+ System HINFO records and the NIC Host Table. Their use is described
+ in RFC-952 [53].
+
+ A system name may be up to 40 characters taken from the set of upper-
+ case letters, digits, and the three punctuation characters hyphen,
+ period, and slash. It must start with a letter, and end with a
+ letter or digit.
+
+ AEGIS LISP SUN OS 3.5
+ APOLLO LISPM SUN OS 4.0
+ AIX/370 LOCUS SWIFT
+ AIX-PS/2 MACOS TAC
+ BS-2000 MINOS TANDEM
+ CEDAR MOS TENEX
+ CGW MPE5 TOPS10
+ CHORUS MSDOS TOPS20
+ CHRYSALIS MULTICS TOS
+ CMOS MUSIC TP3010
+ CMS MUSIC/SP TRSDOS
+ COS MVS ULTRIX
+ CPIX MVS/SP UNIX
+ CTOS NEXUS UNIX-BSD
+ CTSS NMS UNIX-V1AT
+ DCN NONSTOP UNIX-V
+ DDNOS NOS-2 UNIX-V.1
+ DOMAIN NTOS UNIX-V.2
+ DOS OS/DDP UNIX-V.3
+ EDX OS/2 UNIX-PC
+ ELF OS4 UNKNOWN
+ EMBOS OS86 UT2D
+ EMMOS OSX V
+ EPOS PCDOS VM
+ FOONEX PERQ/OS VM/370
+ FUZZ PLI VM/CMS
+ GCOS PSDOS/MIT VM/SP
+ GPOS PRIMOS VMS
+ HDOS RMX/RDOS VMS/EUNICE
+ IMAGEN ROS VRTX
+ INTERCOM RSX11M WAITS
+ IMPRESS RTE-A WANG
+ INTERLISP SATOPS WIN32
+ IOS SCO-XENIX/386 X11R3
+ IRIX SCS XDE
+ ISI-68020 SIMP XENIX
+ ITS SUN
+
+
+
+Appendix C Installing DNS on a Sun when running NIS
+
+====================
+ 2) How to get DNS to be used when running NIS ?
+
+ First setup the appropriate /etc/resolv.conf file.
+ Something like this should do the "trick".
+
+ ;
+ ; Data file for a client.
+ ;
+ domain local domain
+ nameserver address of primary domain nameserver
+ nameserver address of secondary domain nameserver
+
+ where: "local domain" is the domain part of the hostnames.
+ For example, if your hostname is "thor.ece.uc.edu"
+ your "local domain" is "ece.uc.edu".
+
+ You will need to put a copy of this resolv.conf on
+ all NIS(YP) servers including slaves.
+
+ Under SunOS 4.1 and greater, change the "B=" at the top
+ of the /var/yp/Makefile to "B=-b" and setup NIS in the
+ usual fashion.
+
+ You will need reboot or restart ypserv for these changes
+ to take affect.
+
+ Under 4.0.x, edit the Makefile or apply the following "diff":
+
+*** Makefile.orig Wed Jan 10 13:22:11 1990
+--- Makefile Wed Jan 10 13:22:01 1990
+***************
+*** 63 ****
+! | $(MAKEDBM) - $(YPDBDIR)/$(DOM)/hosts.byname; \
+--- 63 ----
+! | $(MAKEDBM) -b - $(YPDBDIR)/$(DOM)/hosts.byname; \
+***************
+*** 66 ****
+! | $(MAKEDBM) - $(YPDBDIR)/$(DOM)/hosts.byaddr; \
+--- 66 ----
+! | $(MAKEDBM) -b - $(YPDBDIR)/$(DOM)/hosts.byaddr; \
+====================
+
diff --git a/contrib/bind/doc/misc/style.txt b/contrib/bind/doc/misc/style.txt
new file mode 100644
index 0000000..a966066
--- /dev/null
+++ b/contrib/bind/doc/misc/style.txt
@@ -0,0 +1,172 @@
+Path: vixie!vixie
+From: vixie@vix.com (Paul A Vixie)
+Newsgroups: comp.protocols.tcp-ip.domains
+Subject: Re: Format of DNS files (style question)
+Date: 28 Aug 94 03:17:08
+Organization: Vixie Enterprises
+Lines: 159
+Distribution: inet
+Message-ID: <VIXIE.94Aug28031708@office.home.vix.com>
+References: <33onnr$i4u@zombie.ncsc.mil>
+NNTP-Posting-Host: office.home.vix.com
+In-reply-to: sjr@zombie.ncsc.mil's message of 27 Aug 1994 21:02:51 -0400
+
+> (Style) Suggestions for how to layout DNS configuration files (both
+> forward and reverse)?
+
+I've gone back and forth on the question of whether the BOG should include a
+section on this topic. I know what I myself prefer, but I'm wary of ramming
+my own stylistic preferences down the throat of every BOG reader. But since
+you ask :-)...
+
+Create /var/named. If your system is too old to have a /var, either create
+one or use /usr/local/adm/named instead. Put your named.boot in it, and make
+/etc/named.boot a symlink to it. If your system doesn't have symlinks, you're
+S-O-L (but you knew that). In named.boot, put a "directory" directive that
+specifies your actual BIND working directory:
+
+ directory /var/named
+
+All relative pathnames used in "primary", "secondary", and "cache" directives
+will be evaluated relative to this directory. Create two subdirectories,
+/var/named/pri and /var/named/sec. Whenever you add a "primary" directive
+to your named.boot, use "pri/WHATEVER" as the path name. And then put the
+primary zone file into "pri/WHATEVER". Likewise when you add "secondary"
+directives, use "sec/WHATEVER" and BIND (really named-xfer) will create the
+files in that subdirectory.
+
+(Variations: (1) make a midlevel directory "zones" and put "pri" and "sec"
+into it; (2) if you tend to pick up a lot of secondaries from a few hosts,
+group them together in their own subdirectories -- something like
+/var/named/zones/uucp if you're a UUCP Project name server.)
+
+For your forward files, name them after the zone. dec.com becomes
+"/var/named/zones/pri/dec.com". For your reverse files, name them after the
+network number. 0.1.16.in-addr.arpa becomes "/var/named/zones/pri/16.1.0".
+
+When creating or maintaining primary zone files, try to use the same SOA
+values everywhere, except for the serial number which varies per zone. Put
+a $ORIGIN directive at the top of the primary zone file, not because it's
+needed (it's not since the default origin is the zone named in the "primary"
+directive) but because it make it easier to remember what you're working on
+when you have a lot of primary zones. Put some comments up there indicating
+contact information for the real owner if you're proxying. Use RCS and put
+the "$Id: style.txt,v 8.1 1995/12/22 21:59:52 vixie Exp $" in a ";" comment near the top of the zone file.
+
+The SOA and other top level information should all be listed together. But
+don't put IN on every line, it defaults nicely. For example:
+
+==============
+@ IN SOA gw.home.vix.com. postmaster.vix.com. (
+ 1994082501 ; serial
+ 3600 ; refresh (1 hour)
+ 1800 ; retry (30 mins)
+ 604800 ; expire (7 days)
+ 3600 ) ; minimum (1 hour)
+
+ NS gw.home.vix.com.
+ NS ns.uu.net.
+ NS uucp-gw-1.pa.dec.com.
+ NS uucp-gw-2.pa.dec.com.
+
+ MX 10 gw.home.vix.com.
+ MX 20 uucp-gw-1.pa.dec.com.
+ MX 20 uucp-gw-1.pa.dec.com.
+==============
+
+I don't necessarily recommend those SOA values. Not every zone is as volatile
+as the example shown. I do recommend that serial number format; it's in date
+format with a 2-digit per-day revision number. This format will last us until
+2147 A.D. at which point I expect a better solution will have been found :-).
+(Note that it would last until 4294 A.D. except that there are some old BINDs
+out there that use a signed quantity for representing serial number interally;
+I suppose that as long as none of these are still running after 2047 A.D.,
+that we can use the above serial number format until 4294 A.D., at which point
+a better solution will HAVE to be found.)
+
+You'll note that I use a tab stop for "IN" even though I never again specify
+it. This leaves room for names longer than 7 bytes without messing up the
+columns. You might also note that I've put the MX priority and destination
+in the same tab stop; this is because both are part of the RRdata and both
+are very different from MX which is an RRtype. Some folks seem to prefer to
+group "MX" and the priority together in one tab stop. While this looks neat
+it's very confusing to newcomers and for them it violates the law of least
+astonishment.
+
+If you have a multi-level zone (one which contains names that have dots in
+them), you can use additional $ORIGIN statements but I recommend against it
+since there is no "back" operator. That is, given the above example you can
+add:
+
+=============
+$ORIGIN home
+gw A 192.5.5.1
+=============
+
+The problem with this is that subsequent RR's had better be somewhere under
+the "home.vix.com" name or else the $ORIGIN that introduces them will have
+to use a fully qualified name. FQDN $ORIGIN's aren't bad and I won't be mad
+if you use them. Unqualified ones as shown above are real trouble. I usually
+stay away from them and just put the whole name in:
+
+=============
+gw.home A 192.5.5.1
+=============
+
+In your reverse zones, you're usually in some good luck because the owner name
+is usually a single short token or sometimes two.
+
+=============
+$ORIGIN 5.5.192.in-addr.arpa.
+@ IN SOA ...
+ NS ...
+1 PTR gw.home.vix.com.
+-------------
+$ORIGIN 1.16.in-addr.arpa.
+@ IN SOA ...
+ NS ...
+2.0 PTR gatekeeper.dec.com.
+=============
+
+It is usually pretty hard to keep your forward and reverse zones in synch.
+You can avoid that whole problem by just using "h2n" (see the ORA book, DNS
+and BIND, and its sample toolkit, included in the BIND distribution or on
+ftp.uu.net (use the QUOTE SITE EXEC INDEX command there to find this -- I
+never can remember where it's at). "h2n" and many tools like it can just
+read your old /etc/hosts file and churn it into DNS zone files. (May I
+recommend contrib/decwrl/mkdb.pl from the BIND distribution?) However, if
+you (like me) prefer to edit these things by hand, you need to follow the
+simple convention of making all of your holes consistent. If you use
+192.5.5.1 and 192.5.5.3 but not (yet) 192.5.5.2, then in your forward file
+you will have something like
+
+=============
+...
+gw.home A 192.5.5.1
+;avail A 192.5.5.2
+pc.home A 192.5.5.3
+=============
+
+and in your reverse file you will have something like
+
+=============
+...
+1 PTR gw.home.vix.com.
+;2 PTR avail
+3 PTR pc.home.vix.com.
+=============
+
+This convention will allow you to keep your sanity and make fewer errors.
+Any kind of automation (h2n, mkdb, or your own perl/tcl/awk/python tools)
+will help you maintain a consistent universe even if it's also a complex
+one. Editing by hand doesn't have to be deadly but you MUST take care.
+
+Anyone who wants to know how to maintain nonleaf zones, i.e., zones which
+have few or no hosts in them but have hundreds or thousands of delegations,
+should attend Usenix LISA in San Diego and be there for the SENDS talk.
+Contact office@usenix.org for conference information.
+--
+Paul Vixie
+Redwood City, CA
+decwrl!vixie!paul
+<paul@vix.com>
OpenPOWER on IntegriCloud