diff options
author | asmodai <asmodai@FreeBSD.org> | 2000-10-31 14:17:05 +0000 |
---|---|---|
committer | asmodai <asmodai@FreeBSD.org> | 2000-10-31 14:17:05 +0000 |
commit | 9c741fe8e6df49a6becda42a944de915788f47ee (patch) | |
tree | 1d278826ace53cc94b9dddb7b4d796a80d9e7699 /contrib | |
parent | 90887e8f5bdae690c1ceca0ae12853e5e66c5282 (diff) | |
download | FreeBSD-src-9c741fe8e6df49a6becda42a944de915788f47ee.zip FreeBSD-src-9c741fe8e6df49a6becda42a944de915788f47ee.tar.gz |
Virgin import of BIND v8.2.3-T6B
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/bind/doc/html/address_list.html | 6 | ||||
-rw-r--r-- | contrib/bind/doc/html/index.html | 6 | ||||
-rw-r--r-- | contrib/bind/doc/html/master.html | 8 | ||||
-rw-r--r-- | contrib/bind/doc/html/options.html | 16 | ||||
-rw-r--r-- | contrib/bind/doc/html/zone.html | 8 | ||||
-rw-r--r-- | contrib/bind/doc/man/Makefile | 2 | ||||
-rw-r--r-- | contrib/bind/doc/man/host.1 | 5 | ||||
-rw-r--r-- | contrib/bind/doc/man/named.8 | 3 | ||||
-rw-r--r-- | contrib/bind/doc/man/named.conf.5 | 8 | ||||
-rw-r--r-- | contrib/bind/doc/man/nslookup.8 | 2 | ||||
-rw-r--r-- | contrib/bind/doc/man/nsupdate.8 | 11 | ||||
-rw-r--r-- | contrib/bind/doc/man/resolver.3 | 54 | ||||
-rw-r--r-- | contrib/bind/doc/misc/FAQ.1of2 | 1109 | ||||
-rw-r--r-- | contrib/bind/doc/misc/FAQ.2of2 | 995 |
14 files changed, 1673 insertions, 560 deletions
diff --git a/contrib/bind/doc/html/address_list.html b/contrib/bind/doc/html/address_list.html index ec39138..c2b2fe7 100644 --- a/contrib/bind/doc/html/address_list.html +++ b/contrib/bind/doc/html/address_list.html @@ -12,9 +12,9 @@ <A NAME="Syntax"><H3>Syntax</H3></A> <PRE> -<VAR>address_match_list</VAR> = 1*<VAR>address_match_element</VAR> +<VAR>address_match_list</VAR> = <VAR>address_match_element</VAR> [ <VAR>address_match_element</VAR> ... ] -<VAR>address_match_element</VAR> = [ "!" ] (<VAR><A HREF="docdef.html">address_match_list</A></VAR> / <VAR><A HREF="docdef.html">ip_address</A></VAR> / <VAR><A HREF="docdef.html">ip_prefix</A></VAR> / <VAR><A HREF="acl.html">acl_name</A></VAR> / <VAR><A HREF="docdef.html">"key" key_id</A></VAR>) ";" +<VAR>address_match_element</VAR> = [ "!" ] ( <VAR><A HREF="docdef.html">ip_address</A></VAR> / <VAR><A HREF="docdef.html">ip_prefix</A></VAR> / <VAR><A HREF="acl.html">acl_name</A></VAR> / <VAR><A HREF="docdef.html">"key" key_id</A></VAR> / { <VAR>address_match_list</VAR> } ) ; </PRE> <HR> @@ -94,7 +94,7 @@ fall through. <HR> <ADDRESS> -Last Updated: $Id: address_list.html,v 1.8 1999/09/15 20:28:00 cyarnell Exp $ +Last Updated: $Id: address_list.html,v 1.9 1999/12/03 02:20:42 gson Exp $ </ADDRESS> </BODY> </HTML> diff --git a/contrib/bind/doc/html/index.html b/contrib/bind/doc/html/index.html index f19464b..d78a8aa 100644 --- a/contrib/bind/doc/html/index.html +++ b/contrib/bind/doc/html/index.html @@ -11,9 +11,9 @@ <UL> <LI>DNS Dynamic Updates -(<A HREF=http://ds.internic.net/rfc/rfc2136.txt>RFC 2136</A>)</LI> +(<A HREF=http://www.ietf.org/rfc/rfc2136.txt>RFC 2136</A>)</LI> <LI>DNS Change Notification -(<A HREF=http://ds.internic.net/rfc/rfc1996.txt>RFC 1996</A>)</LI> +(<A HREF=http://www.ietf.org/rfc/rfc1996.txt>RFC 1996</A>)</LI> <LI>Completely new configuration syntax</LI> <LI>Flexible, categorized logging system</LI> <LI>IP-address-based access control for queries, zone transfers, and @@ -58,7 +58,7 @@ and generally kind hearted folk such as yourself. <HR> <ADDRESS> -Last Updated: $Id: index.html,v 1.5 1998/11/24 01:44:43 marka Exp $ +Last Updated: $Id: index.html,v 1.6 1999/12/28 10:03:40 cyarnell Exp $ </ADDRESS> </BODY> diff --git a/contrib/bind/doc/html/master.html b/contrib/bind/doc/html/master.html index ff4ba0a..dbf8503 100644 --- a/contrib/bind/doc/html/master.html +++ b/contrib/bind/doc/html/master.html @@ -11,7 +11,7 @@ <P> The Master File Format was initially defined in -<A HREF=http://ds.internic.net/rfc/rfc1035.txt>RFC 1035</A> +<A HREF=http://www.ietf.org/rfc/rfc1035.txt>RFC 1035</A> and has subsequently been extended. <P> While the Master File Format is class independent all records in a @@ -46,7 +46,7 @@ point. If origin is specified the file is processed with <CODE>$ORIGIN</CODE> set to that value otherwise the current <CODE>$ORIGIN</CODE> is used. <I>NOTE: The behaviour when <origin> is specified differs from that described in -<A HREF=http://ds.internic.net/rfc/rfc1035.txt>RFC 1035</A>.</I> +<A HREF=http://www.ietf.org/rfc/rfc1035.txt>RFC 1035</A>.</I> <P> The origin and current domain revert to the values they were prior to the <CODE>$INCLUDE</CODE> once the file has been read. @@ -57,7 +57,7 @@ Set the default Time To Live (TTL) for subsequent records with undefined TTL's. Valid TTL's are of the range 0-2147483647. <P> <CODE>$TTL</CODE> is defined in -<A HREF=http://ds.internic.net/rfc/rfc2308.txt>RFC 2308</A>. +<A HREF=http://www.ietf.org/rfc/rfc2308.txt>RFC 2308</A>. <H3>BIND Master File Extentions</H3> <H4>$GENERATE</H4> Syntax: <CODE>$GENERATE <range> <lhs> <type> <rhs> @@ -67,7 +67,7 @@ Syntax: <CODE>$GENERATE <range> <lhs> <type> <rhs> that only differ from each other by an iterator. <CODE>$GENERATE</CODE> can be used to easily generate the sets of records required to support sub /24 reverse delegations described in -<A HREF=http://ds.internic.net/rfc/rfc2317.txt>RFC 2317: Classless IN-ADDR.ARPA delegation</A>. +<A HREF=http://www.ietf.org/rfc/rfc2317.txt>RFC 2317: Classless IN-ADDR.ARPA delegation</A>. <PRE> $ORIGIN 0.0.192.IN-ADDR.ARPA. diff --git a/contrib/bind/doc/html/options.html b/contrib/bind/doc/html/options.html index e3e09ef..5e96d1f 100644 --- a/contrib/bind/doc/html/options.html +++ b/contrib/bind/doc/html/options.html @@ -33,7 +33,7 @@ options { [ rfc2308-type1 <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ] [ use-id-pool <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ] [ treat-cr-as-space <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ] - [ also-notify { <VAR><A HREF="docdef.html">ip_addr</A></VAR>; [ <VAR><A HREF="docdef.html">ip_addr</A></VAR>; ... ] }; + [ also-notify { <VAR><A HREF="docdef.html">ip_addr</A></VAR>; [ <VAR><A HREF="docdef.html">ip_addr</A></VAR>; ... ] }; ] [ forward ( only | first ); ] [ forwarders { [ <VAR><A HREF="docdef.html">in_addr</A></VAR> ; [ <VAR><A HREF="docdef.html">in_addr</A></VAR> ; ... ] ] }; ] [ check-names ( master | slave | response ) ( warn | fail | ignore); ] @@ -65,7 +65,7 @@ options { [ statistics-interval <VAR>number</VAR>; ] [ <A HREF="#topology">topology</A> { <VAR>address_match_list</VAR> }; ] [ <A HREF="#sortlist">sortlist</A> { <VAR>address_match_list</VAR> }; ] - [ rrset-order { <VAR>order_spec</VAR> ; [ <VAR>order_spec</VAR> ; ... ] ] }; + [ rrset-order { <VAR>order_spec</VAR> ; [ <VAR>order_spec</VAR> ; ... ] }; ] }; </PRE> <HR> @@ -189,12 +189,10 @@ becoming corrupted (at the cost of requiring more work from the client). <DT><CODE>has-old-clients</CODE> <DD> -Setting the option to <CODE>yes</CODE> is equivalent to setting the follow -three options <CODE>auth-nxdomain yes;</CODE>, <CODE>maintain-ixfr-base -yes;</CODE> and <CODE>rfc2308-type1 no;</CODE>. -The use of <CODE>has-old-clients</CODE> with <CODE>auth-nxdomain</CODE>, -<CODE>maintain-ixfr-base</CODE> and <CODE>rfc2308-type1</CODE> is order -dependant. +Setting the option to <CODE>yes</CODE> is equivalent to setting the following +options: <CODE>auth-nxdomain yes;</CODE> and <CODE>rfc2308-type1 no;</CODE>. +The use of <CODE>has-old-clients</CODE> with <CODE>auth-nxdomain</CODE> +and <CODE>rfc2308-type1</CODE> is order dependent. <DT><CODE>host-statistics</CODE> <DD> @@ -808,7 +806,7 @@ request for the root servers to be accepted. Default 2. <HR> <ADDRESS> -Last Updated: $Id: options.html,v 1.36 1999/10/13 20:57:05 cyarnell Exp $ +Last Updated: $Id: options.html,v 1.40 2000/06/01 21:37:46 cyarnell Exp $ </ADDRESS> </BODY> </HTML> diff --git a/contrib/bind/doc/html/zone.html b/contrib/bind/doc/html/zone.html index 8d90a45..48685c7 100644 --- a/contrib/bind/doc/html/zone.html +++ b/contrib/bind/doc/html/zone.html @@ -23,10 +23,10 @@ zone <VAR><A HREF="docdef.html">domain_name</A></VAR> [ ( in | hs | hesiod | cha [ allow-transfer { <VAR><A HREF="address_list.html">address_match_list</A></VAR> }; ] [ dialup <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ] [ notify <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ] - [ also-notify { <VAR><A HREF="docdef.html">ip_addr</A></VAR>; [ <VAR>ip_addr</VAR>; ... ] }; + [ also-notify { <VAR><A HREF="docdef.html">ip_addr</A></VAR>; [ <VAR>ip_addr</VAR>; ... ] }; ] [ ixfr-base <VAR><A HREF="docdef.html">path_name</A></VAR>; ] [ pubkey <VAR><A HREF="docdef.html">number</A></VAR> <VAR><A HREF="docdef.html">number</A></VAR> <VAR><A HREF="docdef.html">number</A></VAR> <VAR>string</VAR>; ] -}; +}; zone <VAR><A HREF="docdef.html">domain_name</A></VAR> [ ( in | hs | hesiod | chaos ) ] { type ( slave | stub ); @@ -43,7 +43,7 @@ zone <VAR><A HREF="docdef.html">domain_name</A></VAR> [ ( in | hs | hesiod | cha [ dialup <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ] [ max-transfer-time-in <VAR>number</VAR>; ] [ notify <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ] - [ also-notify { <VAR><A HREF="docdef.html">ip_addr</A></VAR>; [ <VAR>ip_addr</VAR>; ... ] }; + [ also-notify { <VAR><A HREF="docdef.html">ip_addr</A></VAR>; [ <VAR>ip_addr</VAR>; ... ] }; ] [ pubkey <VAR><A HREF="docdef.html">number</A></VAR> <VAR><A HREF="docdef.html">number</A></VAR> <VAR><A HREF="docdef.html">number</A></VAR> <VAR>string</VAR>; ] }; @@ -238,7 +238,7 @@ string representing the key. <HR> <ADDRESS> -Last Updated: $Id: zone.html,v 1.23 1999/09/30 17:58:41 cyarnell Exp $ +Last Updated: $Id: zone.html,v 1.24 2000/01/12 01:28:32 cyarnell Exp $ </ADDRESS> </BODY> </HTML> diff --git a/contrib/bind/doc/man/Makefile b/contrib/bind/doc/man/Makefile index b792ef9..604c293 100644 --- a/contrib/bind/doc/man/Makefile +++ b/contrib/bind/doc/man/Makefile @@ -279,7 +279,7 @@ NSUPDATE_OUT = nsupdate.${SYS_OPS_OUT_EXT} # Network library routines manual entries # LIB_NETWORK_BASE = gethostbyname inet_cidr resolver hesiod getnetent \ - tsig getaddrinfo inet_cidr getipnodebyname + tsig getaddrinfo getnameinfo getipnodebyname LIB_NETWORK_SRC_EXT = 3 LIB_NETWORK_SRC = gethostbyname.${LIB_NETWORK_SRC_EXT} \ inet_cidr.${LIB_NETWORK_SRC_EXT} \ diff --git a/contrib/bind/doc/man/host.1 b/contrib/bind/doc/man/host.1 index 017d082..12219e7 100644 --- a/contrib/bind/doc/man/host.1 +++ b/contrib/bind/doc/man/host.1 @@ -50,7 +50,7 @@ .\" SOFTWARE. .\" - .\" --Copyright-- -.\" $Id: host.1,v 8.2 1997/03/14 02:29:44 vixie Exp $ +.\" $Id: host.1,v 8.4 2000/02/29 03:50:47 vixie Exp $ .Dd December 15, 1994 .Dt HOST @CMD_EXT_U@ .Os BSD 4 @@ -182,6 +182,8 @@ its own database. It will not ask other servers for more information. .It Fl d Turn on debugging. Network transactions are shown in detail. +.It Fl s +Chase signatures back to parent key (DNSSEC). .It Fl t Ar querytype Allows you to specify a particular .Ar querytype @@ -255,6 +257,7 @@ is implemented by doing a complete zone transfer and then filtering out the information the you have asked for. This command should be used only if it is absolutely necessary. +.El .Sh CUSTOMIZING HOST NAME LOOKUP In general, if the name supplied by the user does not have any dots in it, a default domain is appended to the end. diff --git a/contrib/bind/doc/man/named.8 b/contrib/bind/doc/man/named.8 index c0e73df..80ee217 100644 --- a/contrib/bind/doc/man/named.8 +++ b/contrib/bind/doc/man/named.8 @@ -332,7 +332,7 @@ An example SOA record is as follows: 86400 ) ; minimum .Ed .Pp -The SOA specifies a serial number, which should be changed each time the +The SOA specifies a serial number, which should be incremented each time the master file is changed. Note that the serial number can be given as a dotted number, but this is a .Em very @@ -416,6 +416,7 @@ Toggles logging of all incoming queries via (requires server to have been built with the .Li QRYLOG option). +.El .Sh FILES .Bl -tag -width "/var/tmp/named_dump.db (_PATH_DUMPFILE) " -compact .It Pa /etc/named.conf diff --git a/contrib/bind/doc/man/named.conf.5 b/contrib/bind/doc/man/named.conf.5 index 44f1ec9..6dde5ca 100644 --- a/contrib/bind/doc/man/named.conf.5 +++ b/contrib/bind/doc/man/named.conf.5 @@ -1281,7 +1281,8 @@ may also be specified in the .Ic zone statement, in which case it overrides the .Ic options allow-query -statement. If not specified, the default is +statement. If not specified, the default is to allow queries +from all hosts. .Bl -tag -width 1 .It Ic allow-recursion @@ -1310,6 +1311,7 @@ Specifies a list of addresses that the server will not accept queries from or use to resolve a query. Queries from these addresses will not be responded to. .El +.El .Ss Interfaces @@ -1757,6 +1759,8 @@ zone \fIdomain_name\fR [ ( in | hs | hesiod | chaos ) ] { [ allow-update { \fIaddress_match_list\fR }; ] [ allow-query { \fIaddress_match_list\fR }; ] [ allow-transfer { \fIaddress_match_list\fR }; ] + [ forward ( only | first ); ] + [ forwarders { [ \fIip_addr\fR ; [ \fIip_addr\fR ; ... ] ] }; ] [ dialup \fIyes_or_no\fR; ] [ notify \fIyes_or_no\fR; ] [ also-notify { \fIip_addr\fR; [ \fIip_addr\fR; ... ] }; @@ -1771,6 +1775,8 @@ zone \fIdomain_name\fR [ ( in | hs | hesiod | chaos ) ] { [ allow-update { \fIaddress_match_list\fR }; ] [ allow-query { \fIaddress_match_list\fR }; ] [ allow-transfer { \fIaddress_match_list\fR }; ] + [ forward ( only | first ); ] + [ forwarders { [ \fIip_addr\fR ; [ \fIip_addr\fR ; ... ] ] }; ] [ transfer-source \fIip_addr\fR; ] [ max-transfer-time-in \fInumber\fR; ] [ notify \fIyes_or_no\fR; ] diff --git a/contrib/bind/doc/man/nslookup.8 b/contrib/bind/doc/man/nslookup.8 index 5ba1850..d74d84f 100644 --- a/contrib/bind/doc/man/nslookup.8 +++ b/contrib/bind/doc/man/nslookup.8 @@ -516,12 +516,14 @@ initial domain name and name server addresses user's initial options .It Pa /usr/share/misc/nslookup.help summary of commands +.El .Sh ENVIRONMENT .Bl -tag -width "HOSTALIASESXXXX" -compact .It Ev HOSTALIASES file containing host aliases .It Ev LOCALDOMAIN overrides default domain +.El .Sh SEE ALSO .Xr @INDOT@named @SYS_OPS_EXT@ , .Xr resolver @LIB_NETWORK_EXT@ , diff --git a/contrib/bind/doc/man/nsupdate.8 b/contrib/bind/doc/man/nsupdate.8 index feaa64c..296709b 100644 --- a/contrib/bind/doc/man/nsupdate.8 +++ b/contrib/bind/doc/man/nsupdate.8 @@ -1,4 +1,4 @@ -.\" $Id: nsupdate.8,v 8.4 1999/10/17 06:26:18 cyarnell Exp $ +.\" $Id: nsupdate.8,v 8.5 2000/02/29 03:50:48 vixie Exp $ .\" .\"Copyright (c) 1999 by Internet Software Consortium .\" @@ -47,6 +47,7 @@ Debug mode. .It Fl v Virtual circuit - use TCP to communication with server. Default is UDP. +.El .Sh INPUT FORMAT .Ic Nsupdate reads input records, one per line, @@ -79,7 +80,7 @@ will be performed. understands the following input record formats: .Pp -.Bl -ohang +.Bl -hang .It Ic prereq nxdomain Va domain-name Requires that no RR of any type exists with name @@ -178,7 +179,7 @@ $ nsupdate -k /var/named/keys:mykey .Ed .Sh DIAGNOSTICS -.Bl -ohang +.Bl -hang .It Qq send error Typically indicates that the authoritative nameservers could not be reached @@ -196,9 +197,11 @@ being performed. The only way to determine if the update was performed is to use debug mode .Fl ( d ) and examine the status field in the nameserver's reply. - +.El .Sh FILES +.Bl -hang .It Pa /etc/resolv.conf +.El initial domain name and name server addresses .Sh SEE ALSO .Xr @INDOT@named @SYS_OPS_EXT@ , diff --git a/contrib/bind/doc/man/resolver.3 b/contrib/bind/doc/man/resolver.3 index 6ddfe11..890c836 100644 --- a/contrib/bind/doc/man/resolver.3 +++ b/contrib/bind/doc/man/resolver.3 @@ -16,17 +16,17 @@ .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" .\" @(#)resolver.3 6.5 (Berkeley) 6/23/90 -.\" $Id: resolver.3,v 8.11 1999/09/13 23:33:24 vixie Exp $ +.\" $Id: resolver.3,v 8.12 2000/07/11 06:10:55 vixie Exp $ .\" -.Dd October 19, 1998 +.Dd July 4, 2000 .Dt RESOLVER @LIB_NETWORK_EXT_U@ .Os BSD 4 .Sh NAME .Nm res_ninit , -.Nm res_nisourserver , +.Nm res_ourserver_p , .Nm fp_resstat , -.Nm res_npquery , .Nm res_hostalias , +.Nm res_pquery , .Nm res_nquery , .Nm res_nsearch , .Nm res_nquerydomain , @@ -36,16 +36,15 @@ .Nm res_nmkupdate , .Nm res_nclose , .Nm res_nsendsigned , -.Nm res_nsendupdate , .Nm res_findzonecut , .Nm dn_comp , .Nm dn_expand , .Nm hstrerror , .Nm res_init , .Nm res_isourserver , -.Nm p_nquery , -.Mm p_query , -.Mm hostalias , +.Nm fp_nquery , +.Nm p_query , +.Nm hostalias , .Nm res_query , .Nm res_search , .Nm res_querydomain , @@ -61,10 +60,10 @@ .Fd #include <arpa/nameser.h> .Fd #include <resolv.h> .Fn res_ninit "res_state statp" -.Fn res_nisourserver "const res_state statp" "const struct sockaddr_in *addr" +.Fn res_ourserver_p "const res_state statp" "const struct sockaddr_in *addr" .Fn fp_resstat "const res_state statp" "FILE *fp" -.Fn res_npquery "const res_state statp" "const u_char *msg" "int msglen" "FILE *fp" .Fn res_hostalias "const res_state statp" "const char *name" "char *buf" "size_t buflen" +.Fn res_pquery "const res_state statp" "const u_char *msg" "int msglen" "FILE *fp" .Fn res_nquery "res_state statp" "const char *dname" "int class" "int type" "u_char *answer" "int anslen" .Fn res_nsearch "res_state statp" "const char *dname" "int class" "int type" "u_char * answer" "int anslen" .Fn res_nquerydomain "res_state statp" "const char *name" "const char *domain" "int class" "int type" "u_char *answer" "int anslen" @@ -75,7 +74,6 @@ .Fn res_nclose "res_state statp" .Fn res_nsendsigned "res_state statp" "const u_char *msg" "int msglen" "ns_tsig_key *key" "u_char *answer" "int anslen" .Fn res_findzonecut "res_state statp" "const char *dname" "ns_class class" "int options" "char *zname" "size_t zsize" "struct in_addr *addrs" "int naddrs" -.Fn res_nsendupdate "res_state statp" "ns_updrec *rrecp_in" "ns_tsig_key *key" "char *zname" "struct in_addr addr" .Fn dn_comp "const char *exp_dn" "u_char *comp_dn" "int length" "u_char **dnptrs, **lastdnptr" .Fn dn_expand "const u_char *msg, *eomorig, *comp_dn" "char *exp_dn" "int length" .Fn hstrerror "int err" @@ -87,7 +85,7 @@ .Fd #include <resolv.h> .Fn res_init "void" .Fn res_isourserver "const struct sockaddr_in *addr" -.Fn p_nquery "const u_char *msg" "int msglen" "FILE *fp" +.Fn fp_nquery "const u_char *msg" "int msglen" "FILE *fp" .Fn p_query "const u_char *msg" "FILE *fp" .Fn hostalias "const char *name" .Fn res_query "const char *dname" "int class, type" "u_char *answer" "int anslen" @@ -111,7 +109,7 @@ should be set to all zeros prior to the first call to any of these functions. The functions .Fn res_init , .Fn res_isourserver , -.Fn p_nquery , +.Fn fp_nquery , .Fn p_query , .Fn hostalias , .Fn res_query , @@ -373,11 +371,9 @@ MUST be big enough to receive a maximum UDP response from the server or parts of the answer will be silently discarded. The default maximum UDP response size is 512 bytes. .Pp -The functions -.Fn res_nisourserver -/ -.Fn res_isourserver -return true when +The function +.Fn res_ourserver_p +returns true when .Fa inp is one of the servers in .Fa statp->nsaddr_list @@ -385,9 +381,7 @@ is one of the servers in .Fa _res.nsaddr_list . .Pp The functions -.Fn res_npquery -/ -.Fn p_nquery +.Fn fp_nquery / .Fn p_query print out the query and any answer in @@ -396,7 +390,7 @@ on .Fa fp . .Fn p_query is equivalent to -.Fn p_nquery +.Fn fp_nquery with .Fa msglen set to 512. @@ -429,22 +423,18 @@ The functions take a list of ns_updrec .Fa rrecp_in . Identifies the containing zone for each record and groups the records -according to containing zone maintaining in zone order then sends and -update request to the servers for these zones. -The number of zones updated is returned or -1 on error. +according to containing zone maintaining in zone order then sends and update +request to the servers for these zones. The number of zones updated is +returned or -1 on error. Note that +.Fn res_nupdate +will perform TSIG authenticated dynamic update operations if the key is not +NULL. .Pp The function .Fn res_findzonecut discovers the closest enclosing zone cut for a specified domain name, and finds the IP addresses of the zone's master servers. .Pp -The function -.Fn res_nsendupdate -is used to perform TSIG authenticated dynamic update operations. -.Fn res_nsendupdate -sends a dynamic update to the specified IP address, authenticating the update -if the key is not NULL. -.Pp The functions .Fn res_nmkupdate / diff --git a/contrib/bind/doc/misc/FAQ.1of2 b/contrib/bind/doc/misc/FAQ.1of2 index 99619eb..9eea797 100644 --- a/contrib/bind/doc/misc/FAQ.1of2 +++ b/contrib/bind/doc/misc/FAQ.1of2 @@ -1,47 +1,45 @@ -Newsgroups: comp.protocols.tcp-ip.domains,comp.answers,news.answers -Path: vixie!news1.digital.com!su-news-hub1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!cam-news-hub1.bbnplanet.com!news.mathworks.com!news.kei.com!uhog.mit.edu!rutgers!njitgw.njit.edu!hertz.njit.edu!cdp2582 +Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!news-out.cwix.com!news1.cwix.com!newsfeed.cwix.com!204.59.152.222!news-peer.gip.net!news.gsl.net!gip.net!news.idt.net!newsin.iconnet.net!IConNet!not-for-mail From: cdp2582@hertz.njit.edu (Chris Peckham) +Newsgroups: comp.protocols.tcp-ip.domains,comp.answers,news.answers,comp.protocols.dns.bind Subject: comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ) (Part 1 of 2) -Message-ID: <cptd-faq-1-849940949@njit.edu> +Supersedes: <cptd-faq-1-916718634@njit.edu> Followup-To: comp.protocols.tcp-ip.domains -Originator: cdp2582@hertz.njit.edu -Keywords: BIND,DOMAIN,DNS -Sender: news@njit.edu -Supersedes: <cptd-faq-1-847336183@njit.edu> -Nntp-Posting-Host: hertz.njit.edu -X-Posting-Frequency: posted during the first week of each month -Reply-To: domain-faq@njit.edu (comp.protocols.tcp-ip.domains FAQ comments) Organization: NJIT.EDU - New Jersey Institute of Technology, Newark, NJ, USA -Date: Sat, 7 Dec 1996 06:42:36 GMT +Lines: 1919 +Sender: cdp@chipmunk.iconnet.net Approved: news-answers-request@MIT.EDU -Expires: Sat 11 Jan 97 02:42:29 EDT -Lines: 1582 -Xref: vixie comp.protocols.tcp-ip.domains:12904 comp.answers:22440 news.answers:85682 +Distribution: world +Expires: Thursday, 18 Mar 99 15:18:37 EDT +Message-ID: <cptd-faq-1-918764317@njit.edu> +Reply-To: cdp@intac.com (comp.protocols.tcp-ip.domains FAQ comments) +Keywords: BIND,DOMAIN,DNS +X-Posting-Frequency: posted during the first week of each month +Date: Thu, 11 Feb 1999 20:18:01 GMT +NNTP-Posting-Host: chipmunk.iconnet.net +NNTP-Posting-Date: Thu, 11 Feb 1999 15:18:01 EDT +Xref: senator-bedfellow.mit.edu comp.protocols.tcp-ip.domains:22750 comp.answers:35016 news.answers:151035 comp.protocols.dns.bind:6289 -Posted-By: auto-faq 3.1.1.2 +Posted-By: auto-faq 3.3 beta (Perl 5.004) Archive-name: internet/tcp-ip/domains-faq/part1 -Revision: 1.14 1996/12/07 06:42:05 - Note that this posting has been split into two parts because of its size. -$Id: FAQ.1of2,v 8.4 1996/12/18 04:22:33 vixie Exp $ +$Id: FAQ.1of2,v 8.5 2000/07/11 04:23:13 vixie Exp $ A new version of this document appears monthly. If this copy is more than a month old it may be out of date. -This FAQ is edited and maintained by Chris Peckham, <cdp@pfmc.net>. The +This FAQ is edited and maintained by Chris Peckham, <cdp@intac.com>. The most recently posted version may be found for anonymous ftp from rtfm.mit.edu : /pub/usenet/news.answers/internet/tcp-ip/domains-faq -It is also available in HTML from -http://www.users.pfmc.net/~cdp/cptd-faq/. +It is also available in HTML from http://www.intac.com/~cdp/cptd-faq/. If you can contribute any answers for items in the TODO section, please do -so by sending e-mail to <domain-faq@pfmc.net> ! If you know of any items -that are not included and you feel that they should be, send the -relevant information to <domain-faq@pfmc.net>. +so by sending e-mail to <cdp@intac.com> ! If you know of any items that +are not included and you feel that they should be, send the relevant +information to <cdp@intac.com>. =============================================================================== @@ -64,7 +62,7 @@ Index Q2.10 Issues when changing your domain name Q2.11 How memory and CPU does DNS use ? Q2.12 Other things to consider when planning your servers - Q2.13 Proper way to get NS and reverse IP records into DNS + Q2.13 Reverse domains (IN-ADDR.ARPA) and their delegation Q2.14 How do I get my address assigned from the NIC ? Q2.15 Is there a block of private IP addresses I can use? Q2.16 Does BIND cache negative answers (failed DNS lookups) ? @@ -73,12 +71,16 @@ Index Q2.19 What is the cache file Q2.20 Obtaining the latest cache file Q2.21 Selecting a nameserver/root cache - Q2.22 InterNIC and domain names + Q2.22 Domain names and legal issues + Q2.23 Iterative and Recursive lookups + Q2.24 Dynamic DNS + Q2.25 What version of bind is running on a server ? + Q2.26 BIND and Y2K Section 3. UTILITIES Q3.1 Utilities to administer DNS zone files Q3.2 DIG - Domain Internet Groper - Q3.3 DNS packet analyser + Q3.3 DNS packet analyzer Q3.4 host Q3.5 How can I use DNS information in my program? Q3.6 A source of information relating to DNS @@ -90,32 +92,42 @@ Index Q4.4 My server does not consider itself authoritative ! Q4.5 NS records don't configure servers as authoritative ? Q4.6 underscore in host-/domainnames - Q4.7 What is lame delegation ? - Q4.8 How can I see if the server is "lame" ? - Q4.9 What does opt-class field in a zone file do? - Q4.10 Top level domains - Q4.11 Classes of networks - Q4.12 What is CIDR ? - Q4.13 What is the rule for glue ? + Q4.7 How do I turn the "_" check off ? + Q4.8 What is lame delegation ? + Q4.9 How can I see if the server is "lame" ? + Q4.10 What does opt-class field in a zone file do? + Q4.11 Top level domains + Q4.12 US Domain + Q4.13 Classes of networks + Q4.14 What is CIDR ? + Q4.15 What is the rule for glue ? + Q4.16 What is a stub record/directive ? Section 5. CONFIGURATION - Q5.1 Changing a Secondary server to a Primary server ? - Q5.2 Moving a Primary server to another server - Q5.3 How do I subnet a Class B Address ? - Q5.4 Subnetted domain name service - Q5.5 Recommended format/style of DNS files - Q5.6 DNS on a system not connected to the Internet - Q5.7 Multiple Domain configuration - Q5.8 wildcard MX records - Q5.9 How do you identify a wildcard MX record ? - Q5.10 Why are fully qualified domain names recommended ? - Q5.11 Distributing load using named - Q5.12 Order of returned records - Q5.13 resolv.conf - Q5.14 How do I delegate authority for sub-domains ? - Q5.15 DNS instead of NIS on a Sun OS 4.1.x system - Q5.16 Patches to add functionality to BIND - Q5.17 How to serve multiple domains from one server + Q5.1 Upgrading from 4.9.x to 8.x + Q5.2 Changing a Secondary server to a Primary server ? + Q5.3 Moving a Primary server to another server + Q5.4 How do I subnet a Class B Address ? + Q5.5 Subnetted domain name service + Q5.6 Recommended format/style of DNS files + Q5.7 DNS on a system not connected to the Internet + Q5.8 Multiple Domain configuration + Q5.9 wildcard MX records + Q5.10 How do you identify a wildcard MX record ? + Q5.11 Why are fully qualified domain names recommended ? + Q5.12 Distributing load using named + Q5.13 Round robin IS NOT load balancing + Q5.14 Order of returned records + Q5.15 resolv.conf + Q5.16 How do I delegate authority for sub-domains ? + Q5.17 DNS instead of NIS on a Sun OS 4.1.x system + Q5.18 Patches to add functionality to BIND + Q5.19 How to serve multiple domains from one server + Q5.20 hostname and domain name the same + Q5.21 Restricting zone transfers + Q5.22 DNS in firewalled and private networks + Q5.23 Modifying the Behavior of DNS with ndots + Q5.24 Different DNS answers for same RR Section 6. PROBLEMS Q6.1 No address for root server @@ -128,8 +140,24 @@ Index Q6.8 General problems (core dumps !) Q6.9 malloc and DECstations Q6.10 Can't resolve names without a "." - Q6.11 Err/TO errors being reported - Q6.12 Why does swapping kill BIND ? + Q6.11 Why does swapping kill BIND ? + Q6.12 Resource limits warning in system + Q6.13 ERROR:ns_forw: query...learnt + Q6.14 ERROR:zone has trailing dot + Q6.15 ERROR:Zone declared more then once + Q6.16 ERROR:response from unexpected source + Q6.17 ERROR:record too short from [zone name] + Q6.18 ERROR:sysquery: findns error (3) + Q6.19 ERROR:Err/TO getting serial# for XXX + Q6.20 ERROR:zonename IN NS points to a CNAME + Q6.21 ERROR:Masters for secondary zone [XX] unreachable + Q6.22 ERROR:secondary zone [XX] expired + Q6.23 ERROR:bad response to SOA query from [address] + Q6.24 ERROR:premature EOF, fetching [zone] + Q6.25 ERROR:Zone [XX] SOA serial# rcvd from [Y] is < ours + Q6.26 ERROR:connect(IP/address) for zone [XX] failed + Q6.27 ERROR:sysquery: no addrs found for NS + Q6.28 ERROR:zone [name] rejected due to errors Section 7. ACKNOWLEDGEMENTS Q7.1 How is this FAQ generated ? @@ -147,23 +175,23 @@ Section 1. TO DO / UPDATES Question 1.1. Contributions needed -Date: Fri Dec 6 00:40:00 EST 1996 +Date: Mon Jan 18 22:57:01 EST 1999 -* Expand the slave/forward section +* Additional information on the new TLDs +* Expand on Q: How to serve multiple domains from one server +* Q: DNS ports - need to expand/correct some issues ----------------------------------------------------------------------------- Question 1.2. UPDATES / Changes since last posting -Date: Fri Dec 6 00:40:00 EST 1996 +Date: Thu Feb 11 14:36:02 EST 1999 -* The FAQ is now maintained in BFNN (Bizzare format with No Name). This - allows me to create ASCII, HTML, and GNU info (postscript coming soon) - from one source file. -* References to 4.9.4 changed to 4.9.5. -* memory/CPU usage question - removed uunet map reference. Not there... -* Minor edits of information and questions for new format. -* How do I delegate authority for sub-domains ? - edited answer +* DNS in firewalled and private networks - Updated with comment about hint + file +* host - Updated NT info +* How do I register a domain ? - JP NIC +* BIND and Y2K =============================================================================== @@ -181,7 +209,7 @@ Section 2. INTRODUCTION / MISCELLANEOUS Q2.10 Issues when changing your domain name Q2.11 How memory and CPU does DNS use ? Q2.12 Other things to consider when planning your servers - Q2.13 Proper way to get NS and reverse IP records into DNS + Q2.13 Reverse domains (IN-ADDR.ARPA) and their delegation Q2.14 How do I get my address assigned from the NIC ? Q2.15 Is there a block of private IP addresses I can use? Q2.16 Does BIND cache negative answers (failed DNS lookups) ? @@ -190,7 +218,11 @@ Section 2. INTRODUCTION / MISCELLANEOUS Q2.19 What is the cache file Q2.20 Obtaining the latest cache file Q2.21 Selecting a nameserver/root cache - Q2.22 InterNIC and domain names + Q2.22 Domain names and legal issues + Q2.23 Iterative and Recursive lookups + Q2.24 Dynamic DNS + Q2.25 What version of bind is running on a server ? + Q2.26 BIND and Y2K ----------------------------------------------------------------------------- @@ -290,13 +322,42 @@ name servers in general (whether BIND-derived or not). Question 2.5. Where is the latest version of BIND located ? -Fri Dec 6 00:23:19 EST 1996 +Date: Mon Sep 14 22:46:00 EDT 1998 + +This information may be found at http://www.vix.com/isc/bind/. + +Presently, there are two 'production level' versions of BIND. They are +versions 4 and 8. + +Version 4 is the last "traditional" BIND -- the one everybody on the +Internet runs, except a few hundred sites running... + +Version 8 has been called "BIND-ng" (Next Generation). Many new features +are found in version 8. + +BIND-8.1 has the following features: -This information may be found at http://www.vix.com/isc/bind.html +* DNS Dynamic Updates (RFC 2136) +* DNS Change Notification (RFC 1996) +* Completely new configuration syntax +* Flexible, categorized logging system +* IP-address-based access control for queries, zone transfers, and updates + that may be specified on a zone-by-zone basis +* More efficient zone transfers +* Improved performance for servers with thousands of zones +* The server no longer forks for outbound zone transfers +* Many bug fixes. -At this time, BIND version of 4.9.5 may be found for anonymous ftp from +Bind version 8.1.2 may be found at the following location: -ftp.vix.com : /pub/bind/release/4.9.5/bind-4.9.5-REL.tar.gz +* Source ftp.isc.org : /isc/bind/src/8.1.2/bind-8.1.2-src.tar.gz +* Documentation ftp.isc.org : /isc/bind/src/8.1.2/bind-8.1.2-doc.tar.gz +* Contributed packages ftp.isc.org : + /isc/bind/src/8.1.2/bind-8.1.2-contrib.tar.gz + +At this time, BIND version 4.9.7 may be found for anonymous ftp from + +ftp.isc.org : /isc/bind/src/4.9.7/bind-4.9.7-REL.tar.gz Other sites that officially mirror the BIND distribution are @@ -321,17 +382,22 @@ prep.ai.mit.edu : /pub/gnu/patch-2.1.tar.gz A version of BIND for Windows NT is available for anonymous ftp from -ftp.vix.com : /pub/bind/release/4.9.5/contrib/ntdns495relbin.zip +ftp.isc.org : /isc/bind/contrib/ntbind/ntdns497relbin.zip and -ftp.vix.com : /pub/bind/release/4.9.5/contrib/ntbind495rel.zip +ftp.isc.org : /isc/bind/contrib/ntbind/ntbind497rel.zip + +If you contact access@drcoffsite.com, he will send you information +regarding a Windows NT/WIN95 bind port of 4.9.6 release. + +A Freeware version of Bind for NT is available at http://www.software.com. ----------------------------------------------------------------------------- Question 2.6. How can I find the path taken between two systems/domains ? -Date: Fri Dec 6 00:10:31 EST 1996 +Date: Wed Jan 14 12:07:03 EST 1998 On a Unix system, use traceroute. If it is not available to you, you may obtain the source source for 'traceroute', compile it and install it on @@ -346,11 +412,20 @@ Another version may be found for anonymous ftp from ftp.psc.edu : /pub/net_tools/traceroute.tar +NT/Windows 95 users may use the command TRACERT.EXE, which is installed +with the TCP/IP protocol support. There is a Winsock utility called +WS_PING by John Junod that provides ping, traceroute, and nslookup +functionality. + +There are several shareware TCP/IP utilities that provide ping, +traceroute, and DNS lookup functionality for a Macintosh: Mac TCP Watcher +and IP Net Monitor are two of them. + ----------------------------------------------------------------------------- Question 2.7. How do you find the hostname given the TCP-IP address ? -Date: Thu Dec 1 09:55:24 EST 1994 + Mon Jun 15 21:32:57 EDT 1998 For an address a.b.c.d you can always do: @@ -367,42 +442,75 @@ DiG will work like this also: % dig -x a.b.c.d -host from the contrib/host from the bind distribution may also be used. +dig is included in the bind distribution. host from the bind distribution +may also be used. + +On a Macintosh, some shareware utilities may be used. IP Net Monitor has +a very nice NS Lookup feature, producing DiG-like output; Mac TCP Watcher +just has a simple name-to-address and address-to-name translator. ----------------------------------------------------------------------------- Question 2.8. How do I register a domain ? -Date: Wed Sep 4 23:59:42 EDT 1996 +Date: Thu Feb 11 14:51:50 EST 1999 + +Procedures for registering a domain name depend on the top level domain +(TLD) to which the desired domain name will belong, i.e. the rightmost +suffix of the desired domain name. See the answer to "Top level domains" +question in the DEFINITIONS SECTION of this FAQ. + +Although domain registration may be performed by a direct contact with the +appropriate domain registration authorities (domain name registrars), the +easiest way to do it is to talk to your Internet Service Providers. They +can submit a domain registration request on your behalf, as well as to set +up secondary DNS for your domain (or both DNS servers, if you need a +domain name for Web hosting and/or mail delivery purposes only). -You can talk to your Internet Service Provider (ISP). They can submit the -registration for you. If you are not going to be directly connected, they -should be able to offer MX records for your domain for mail delivery (so -that mail sent to the new domain will be sent to your "standard" account). In the case where the registration is done by the organization itself, it still makes the whole process much easier if the ISP is approached for -secondary servers _before_ the InterNIC is approached for registration. +secondary (see RFC 2182) servers _before_ the InterNIC is approached +for registration. -For information about making the registration yourself, look to the -InterNIC (or other similar organization). +In any case, you will need at least two domain name servers when you +register your domain. Many ISP's are willing to provide primary and/or +secondary name service for their customers. If you want to register a +domain name ending with .COM, .NET, .ORG, you'll want to take a look to +the InterNIC: -* anonymout ftp from internic.net : /templates +* http://www.internic.net/ -> Registration Services +* internic.net : /templates/domain-template.txt * gopher://rs.internic.net/ -* http://rs.internic.net/reg/reg-forms.html -* http://www.ripe.net/ -You will need at least two domain name servers when you register your -domain. Many ISP's are willing to provide primary and/or secondary name -service for their customers. +Please note that the InterNIC charges a fee for domain names in the "COM", +"ORG", and "NET". More information may be found from the Internic at + +http://rs.internic.net/domain-info/fee-policy.html. -Please note that the InterNIC is now charging a fee for domain names in -the "COM", "ORG", and "NET". More information may be found from the -Internic at +Note that InterNIC doesn't allocate and assign IP numbers any more. Please +refer to the answer to "How do I get my address assigned from the NIC?" in +this section. -http://rs.internic.net/domain-info/fee-policy.html +Registration of domain names ending with country code suffixes (ISO 3166 - +.FR, .CH, .SE etc.) is being done by the national domain name registrars +(NICs). If you want to obtain such a domain, please refer to the following +links: + +Additional domain/whois information may be found: + +* http://rs.internic.net/help/other-reg.html +* http://www.iana.org/ +* http://www.ripe.net/centr/tld.html +* http://www.UNINETT.NO/navn/domreg.html +* http://www.nic.fr/Guides/AutresNics/ +* http://www.arin.net +* whois.apnic.net +* whois.nic.ad.jp (with /e at the end of query for English) +* sipb.mit.edu : /pub/whois/whois-servers.list +* http://www.geektools.com/whois.html Many times, registration of a domain name can be initiated by sending -e-mail to the zone contact. You can obtain the contact in the SOA record +e-mail to the zone contact. You can obtain the contact in the SOA record for the country, or in a whois server: $ nslookup -type=SOA fr. @@ -417,23 +525,26 @@ An alternate method to obtain the e-mail address of the national NIC is the 'whois' server at InterNIC. You may be requested to make your request to another email address or -using a certain information template/application. +using a certain information template/application. You may be requested to +make your request to another email address or using a certain information +template/application. Please remember that every TLD registrar has its own +registration policies and procedures. ----------------------------------------------------------------------------- Question 2.9. How can I change the IP address of our server ? -Date: Sun May 5 22:46:28 EDT 1996 +Date: Wed Jan 14 12:09:09 EST 1998 (From Mark Andrews) Before the move. -* Ensure you are running a modern nameserver. BIND 4.9.3-REL + Patch1 is a - good choice. +* Ensure you are running a modern nameserver. BIND 4.9.6-P1 or 8.1.1 are + good choices. * Inform all your secondaries that you are going to change. Have them install both the current and new addresses in their named.boot's. * Drop the ttl of the A's associated with the nameserver to something small (5 min is usually good). -* Drop the refesh and retry times of the zone containing the forward +* Drop the refresh and retry times of the zone containing the forward records for the server. * Configure the new reverse zone before the move and make sure it is operational. @@ -449,8 +560,13 @@ offering. Then, files). * Inform all the secondaries the move is complete. * Inform the parents of all zones you are primary of the new NS/A pairs - for the relevent zones. -* Inform all the administators of zones you are secondaring that the + for the relevant zones. If you're changing the address of a server + registered with the InterNIC, you also need to submit a Modify Host form + to the InterNIC, so they will update the glue records on the root + servers. It can take the InterNIC a few days to process this form, and + the old glue records have 2-day TTL's, so this transition may be + problematic. +* Inform all the administrators of zones you are secondarying that the machine has moved. * For good measure update the serial no for all zones you are primary for. This will flush out old A's. @@ -501,7 +617,7 @@ keep in mind when planning are: As an example, here is a snapshot of memory usage from CSIRO Division of Mathematics and Statistics, Australia - Named takes several days to stabalize its memory usage. + Named takes several days to stabilize its memory usage. Our main server stabalises at ~10Mb. It takes about 3 days to reach this size from 6 M at startup. This is under Sun OS 4.1.3U1. @@ -550,58 +666,124 @@ consider the following issues: traffic among several machines strategically located, possibly larger ones, and/or subdividing your domain itself. There are many options, tradeoffs, and DNS architectural paradigms from which to choose. + ----------------------------------------------------------------------------- -Question 2.13. Proper way to get NS and reverse IP records into DNS +Question 2.13. Reverse domains (IN-ADDR.ARPA) and their delegation -Date: Mon Jan 2 13:03:53 EST 1995 +Date: Mon Jun 15 23:28:47 EDT 1998 -Reverse domain registration is separate from forward domain registration. -Blocks of network addresses have been delegated by the InterNIC. Check if -your network a.b.c.0 is in such a block by using nslookup: +(The following section was contributed by Berislav Todorovic.) - nslookup -type=soa c.b.a.in-addr.arpa. - nslookup -type=soa b.a.in-addr.arpa. - nslookup -type=soa a.in-addr.arpa. +Reverse domains (subdomains of the IN-ADDR.ARPA domain) are being used by +the domain name service to perform reverse name mapping - from IP +addresses to host names. Reverse domains are more closely related to IP +address space usage than to the "forward" domain names used. For example, +a host using IP address 10.91.8.6 will have its "reverse" name: +6.8.91.10.IN-ADDR.ARPA, which must be entered in the DNS, by a PTR record: -One of the above should give you the information you are looking for (the -others will return with an error something like `*** No start of authority -(SOA) records available for ...') This will give you the email address of -the person to whom you should address your change request. +6.8.91.10.in-addr.arpa. IN PTR myserver.mydomain.com. -If none of these works, your network probably has not been delegated by -the InterNIC and you need to contact them directly. +In spite of the fact that IP address space is not longer divided into +classes (A, B, C, D, E - see the answer to "What is CIDR?" in the +DEFINITIONS section), the reverse host/domain names are organized on IP +address byte boundaries. Thus, the reverse host name +6.8.91.10.IN-ADDR.ARPA may belong to one of the following reverse domains, +depending on the address space allocated/assigned to you and your DNS +configuration: -CIDR has meant that the registration is delegated, but registration of -in-addr.arpa has always been separate from forward zones - and for good -reason - in that the forward and reverse zones may have different -policies, contents etc, may be served by a different set of nameservers, -and exist at different times (usually only at point of creation). There -isn't a one-to-one mapping between the two, so merging the registration -would probably cause more problems than people forgetting/not-knowing that -they had to register in-addr.arpa zones separately. For example, there -are organizations that have hundreds of networks and two or more domains, -with a sprinkling of machines from each network in each of the domains. +(1) 8.91.10.in-addr.arpa -> + assigned one or more "C class" networks (IP >= /24) +(2) 91.10.in-addr.arpa -> + assigned a whole "B class" 10.91/16 (IP = /16) +(3) ISP dependent -> + assigned < "C class" - e.g. 10.91.8/26 (IP < /24) ------------------------------------------------------------------------------ +No matter what is your case (1, 2 or 3) - the reverse domain name must be +properly delegated - registered in the IN-ADDR.ARPA zone. Otherwise, +translation IP -> host name will fail, which may cause troubles when using +some Internet services and accessing some public sites. -Question 2.14. How do I get my address assigned from the NIC ? +To register your reverse domain, talk to your Internet service provider, +to ensure proper DNS configuration, according to your network topology and +address space assigned. They will point you to a further instance, if +necessary. Generally speaking, while forward domain name registration is a +matter of domain name registrars (InterNIC, national NICs), reverse domain +name delegation is being done by the authorities, assigning IP address +space - Internet service providers and regional Internet registries (see +the answer to "How do I get my address assigned from the NIC?" in this +section). + +Important notes: + +(1) If you're assigned a block or one or more "Class C" networks, you'll +have to maintain a separate reverse domain zone file for each "Class C" +from the block. For example, if you're assigned 10.91.8/22, you'll have to +configure a separate zone file for 4 domains: + +8.91.10.in-addr.arpa +9.91.10.in-addr.arpa +10.91.10.in-addr.arpa +11.91.10.in-addr.arpa + +and to delegate them further in the DNS (according to the advice from your +ISP). + +(2) If you're assigned a whole "B class" (say, 10.91/16), you're in charge +for the whole 91.10.IN-ADDR.ARPA zone. See the answer to "How do I subnet +a Class B Address?" in the CONFIGURATION section. -Date: Fri Dec 6 01:11:34 EST 1996 +(3) If you're assigned only a portion of a "C class" (say, 10.91.8.0/26) +see the answer to "Subnetted domain name service" question in the +CONFIGURATION section. -You should probably ask your Internet provider to give you an address. -These days, addresses are being distributed through the providers, so that -they can assign adjacent blocks of addresses to sites that go through the -same provider, to permit more efficient routing on the backbones. +For more information on reverse domain delegations see: -Unless you have thousands of hosts, you probably won't be able to get a -class B these days. Instead, you can get a series of class C networks. -Large requests will be queried, so be ready to provide a network plan if -you ask for more than 16 class C networks. +* http://www.arin.net/templates/inaddrtemplate.txt +* http://www.ripe.net/docs/ripe-159.html +* ftp.apnic.net : /apnic/docs/in-addr-request -If you can't do this through your Internet provider, you can look for a -subnet registration form on rs.internic.net. See the answer in this FAQ -to the question "How do I register a domain" for a URL to these forms. +----------------------------------------------------------------------------- + +Question 2.14. How do I get my address assigned from the NIC ? + +Date: Mon Jun 15 22:48:24 EDT 1998 + +IP address space assignment to end users is no longer being performed by +regional Internet registries (InterNIC, ARIN, RIPE NCC, APNIC). If you +need IP address space, you should make a request to your Internet service +provider. If you already have address space and need more IP numbers, +make a request to your ISP again and you may be given more numbers +(different ISPs have different allocation requirements and procedures). +If you are a smaller ISP - talk to your upstream ISP to obtain necessary +numbers for your customers. If you change the ISP in the future, you MAY +have to renumber your network. See RFC 2050 and RFC 2071 for more +information on this issue. + +Currently, address space is being distributed in a hierarchical manner: +ISPs assign addresses to their end customers. The regional Internet +registries allocate blocks of addresses (usually sized between /19 (32 "C +class") and /16 (a "B class")) to the ISPs. Finally - IANA (Internet +Assigned Number Authority) allocates necessary address space (/8 ("A +class") sized blocks) to the regional registries, as the need for address +space arises. This hierarchical process ensures more efficient routing on +the backbones (less traffic caused by routing information updates, better +memory utilization in backbone routers etc.) as well as more rational +address usage. + +If you are an ISP, planning to connect yourself to more than one ISP (i.e. +becoming multi-homed) and/or expecting to have a lot of customers, you'll +have to obtain ISP independent address space from a regional Internet +registry. Depending on your geographical locations, you can obtain such +address blocks (/19 and larger blocks) from: + +* RIPE NCC (http://www.ripe.net/) -> Europe, North Africa and Middle East +* ARIN (http://www.arin.net/) -> North and South America, Central Africa +* APNIC (http://www.apnic.net/) -> Asian and Pacific region + +While the regional registries do not sell address space, they do charge +for their services (allocation of address space, reverse domain +delegations etc.) ----------------------------------------------------------------------------- @@ -634,7 +816,7 @@ Yes, BIND 4.9.3 and more recent versions will cache negative answers. Question 2.17. What does an NS record really do ? -Date: Wed Sep 4 22:52:18 EDT 1996 +Date: Wed Jan 14 12:28:46 EST 1998 The NS records in your zone data file pointing to the zone's name servers (as opposed to the servers of delegated subdomains) don't do much. @@ -645,14 +827,28 @@ However, the NS records in the zone file of the parent domain are used to find the right servers to query for the zone in question. These records are more important than the records in the zone itself. +However, if the parent domain server is a secondary or stub server for the +child domain, it will "hoist" the NS records from the child into the +parent domain. This frequently happens with reverse domains, since the +ISP operates primary reverse DNS for its CIDR block and also often runs +secondary DNS for many customers' reverse domains. + +Caching servers will often replace the NS records learned from the parent +server with the authoritative list that the child server sends in its +authority section. If the authoritative list is missing the secondary +servers, those caching servers won't be able to look up in this domain if +the primary goes down. + +After all of this, it is important that your NS records be correct ! + ----------------------------------------------------------------------------- Question 2.18. DNS ports -Date: Fri Feb 10 15:40:10 EST 1995 +Date: Wed Jan 14 12:31:39 EST 1998 -The following table shows what TCP/UDP ports DNS uses to send and receive -queries: +The following table shows what TCP/UDP ports bind before 8.x DNS uses to +send and receive queries: Prot Src Dst Use udp 53 53 Queries between servers (eg, recursive queries) @@ -667,8 +863,12 @@ queries: Note: >1023 is for non-priv ports on Un*x clients. On other client types, the limit may be more or less. +BIND 8.x no longer uses port 53 as the source port for recursive queries. +By defalt it uses a random port >1023, although you can configure a +specific port (53 if you want). + Another point to keep in mind when designing filters for DNS is that a DNS -server uses port 53 both as the source and destination for it's queries. +server uses port 53 both as the source and destination for its queries. So, a client queries an initial server from an unreserved port number to UDP port 53. If the server needs to query another server to get the required info, it sends a UDP query to that server with both source and @@ -725,7 +925,7 @@ from behind a firewall and that can also be used to periodically obtain the latest cache file was posted to comp.protocols.tcp-ip.domains during early October, 1996. It was posted with the subject "Keeping db.cache current". It is available at -http://www.users.pfmc.net/~cdp/cptd-faq/current_db_cache.txt. +http://www.intac.com/~cdp/cptd-faq/current_db_cache.txt. The latest cache file may also be obtained from the InterNIC via ftp or gopher: @@ -762,7 +962,7 @@ tried one time. Once all have responded, all RTT's will be nonzero, and the "fastest server" will get all queries henceforth, until it slows down for some reason. -To promote dispersion and good recordkeeping, BIND will penalize the RTT +To promote dispersion and good record keeping, BIND will penalize the RTT by a little bit each time a server is reused, and it will penalize the RTT a _lot_ if it ever has to retransmit a query. For a server to stay "#1", it has to keep on answering quickly and consistently. @@ -773,18 +973,26 @@ very differently. ----------------------------------------------------------------------------- -Question 2.22. InterNIC and domain names +Question 2.22. Domain names and legal issues -Date: Sun Jun 2 11:23:49 EDT 1996 +Date: Mon Jun 15 22:15:32 EDT 1998 -The current InterNIC policy on what to do if someone wants to use a domain -name that is already in use may be found at +A domain name may be someone's trademark and the use of a trademark +without its owner's permission may be a trademark violation. This may +lead to a legal dispute. RFC 1591 allows registration authorities to +play a neutral role in domain name disputes, stating that: -rs.internic.net : /policy/internic/internic-domain-4.txt + In case of a dispute between domain name registrants as to the + rights to a particular name, the registration authority shall have + no role or responsibility other than to provide the contact + information to both parties. -or +The InterNIC's current domain dispute policy (effective February 25, 1998) +is located at: -http://rs.internic.net/domain-info/internic-domain-4.html. +http://www.internic.net/domain-info/internic-domain-6.html + +Other domain registrars have similar domain dispute policies. The following information was submitted by Carl Oppedahl <oppedahl@patents.com> : @@ -805,13 +1013,99 @@ http://www.patents.com/nsi.sht. A compendium of information on the subject may be found at http://www.law.georgetown.edu/lc/internic/domain1.html. +----------------------------------------------------------------------------- + +Question 2.23. Iterative and Recursive lookups + +Date: Wed Jul 9 22:05:32 EDT 1997 + +Q: What is the difference between iterative and recursive lookups ? How +do you configure them and when would you specify one over the other ? + +A: (from an answer written by Barry Margolin) In an iterative lookup, the +server tells the client "I don't know the answer, try asking <list of +other servers>". In a recursive lookup, the server asks one of the other +servers on your behalf, and then relays the answer back to you. + +Recursive servers are usually used by stub resolvers (the name lookup +software on end systems). They're configured to ask a specific set of +servers, and expect those servers to return an answer rather than a +referral. By configuring the servers with recursion, they will cache +answers so that if two clients try to look up the same thing it won't have +to ask the remote server twice, thus speeding things up. + +Servers that aren't intended for use by stub resolvers (e.g. the root +servers, authoritative servers for domains). Disabling recursion reduces +the load on them. + +In BIND 4.x, you disable recursion with "options no-recursion" in the +named.boot file. + +----------------------------------------------------------------------------- + +Question 2.24. Dynamic DNS + +Mon Jan 18 20:31:58 EST 1999 + +Q: Bind 8 includes some support for Dynamic DNS as specified in RFC 2136. +It does not currently include the authentication mechanism that is +described in RFC 2137, meaning that any update requests received from +allowed hosts will be honored. + +Could someone give me a working example of what syntax nsupdate expects ? +Is it possible to write an update routine which directs it's update to a +particular server, ignoring what the DNS servers are the serving NS's? + +A: You might check out Michael Fuhr's Net::DNS Perl module, which you can +use to put together dynamic update requests. See +http://www.fuhr.net/~mfuhr/perldns/Update.html for additional information. +Michael posted a sample script to show how to use Net::DNS: + + #!/usr/local/bin/perl -w + use Net::DNS; + $res = new Net::DNS::Resolver; + $res->nameservers("some-nameserver.foo.com"); + $update = new Net::DNS::Update("foo.com"); + $update->push("update", rr_del("old-host.foo.com")); + $update->push("update", rr_add("new-host.foo.com A 10.1.2.3")); + $ans = $res->send($update); + print $ans ? $ans->header->rcode : $res->errorstring, "\n"; + +Additional information for Dynamic DNS updates may be found at +http://simmons.starkville.ms.us/tips/081797/. + +----------------------------------------------------------------------------- + +Question 2.25. What version of bind is running on a server ? + +Date: Mon Mar 9 22:15:11 EST 1998 + +On 4.9+ servers, you may obtain the version of bind running with the +following command: + +dig @server.to.query txt chaos version.bind. + +and optionally pipe that into 'grep VERSION'. Please note that this will +not work on an older nameserver. + +----------------------------------------------------------------------------- + +Question 2.26. BIND and Y2K + +Date: Thu Feb 11 14:58:04 EST 1999 + +Is the "Y2K" problem an issue for bind ? + +You will find the Internet Software Consortium's comment on the "Y2K" +issue at http://www.isc.org/y2k.html. + =============================================================================== Section 3. UTILITIES Q3.1 Utilities to administer DNS zone files Q3.2 DIG - Domain Internet Groper - Q3.3 DNS packet analyser + Q3.3 DNS packet analyzer Q3.4 host Q3.5 How can I use DNS information in my program? Q3.6 A source of information relating to DNS @@ -820,7 +1114,7 @@ Section 3. UTILITIES Question 3.1. Utilities to administer DNS zone files -Date: Wed Sep 4 22:53:53 EDT 1996 +Date: Tue Jan 7 00:22:31 EST 1997 There are a few utilities available to ease the administration of zone files in the DNS. @@ -838,7 +1132,12 @@ anonymous ftp from ftp.cus.cam.ac.uk : /pub/software/programs/DNS/makezones -More information may be found using the DNS Resources Directory +bpp is a m4 macro package for pre-processing the master files bind uses to +define zones. Information on this package may be found at +http://www.meme.com/soft. + +More information on various DNS related utilities may be found using the +DNS Resources Directory http://www.dns.net/dnsrd/. @@ -854,26 +1153,24 @@ latest kit. ----------------------------------------------------------------------------- -Question 3.3. DNS packet analyser +Question 3.3. DNS packet analyzer -Date: Wed Sep 4 23:43:57 EDT 1996 +Date: Mon Jun 15 21:42:11 EDT 1998 -There is a free ethernet analyser called Ethload available for PC's -running DOS. The latest filename is ETHLD104.ZIP. It understands lots of +There is a free ethernet analyzer called Ethload available for PC's +running DOS. The latest filename is ETHLD200.ZIP. It understands lots of protocols including TCP/UDP. It'll look inside there and display DNS/BOOTP/ICMP packets etc. (Ed. note: something nice for someone to add to tcpdump ;^) ). Depending on the ethernet controller it's given it'll perform slightly differently. It handles NDIS/Novell/Packet drivers. It -works best with Novell's promiscuous mode drivers. A SimTel mirror site -should have the program available for anonymous ftp. One is - -ftp.coast.net : /SimTel/msdos/lan/ethld104.zip +works best with Novell's promiscuous mode drivers. The current home page +for Ethload is http://www.ping.be/ethload. ----------------------------------------------------------------------------- Question 3.4. host -Date: Sun Dec 4 21:15:38 EST 1994 +Date: Thu Feb 11 14:43:39 EST 1999 A section from the host man page: @@ -904,6 +1201,9 @@ It may also be found for anonymous ftp from ftp.uu.net : /networking/ip/dns/host.tar.Z +Programs with some of the functionality of host for NT may be found at +http://www.tucows.com under "Network Tools, DNS Lookup Utilities". + ----------------------------------------------------------------------------- Question 3.5. How can I use DNS information in my program? @@ -932,7 +1232,7 @@ It depends on precisely what you want to do: Question 3.6. A source of information relating to DNS -Date: Tue Nov 5 23:42:21 EST 1996 +Mon Jan 18 20:35:49 EST 1999 You may find utilities and tools to help you manage your zone files (including WWW front-ends) in the "tools" section of the DNS resources @@ -940,7 +1240,9 @@ directory: http://www.dns.net/dnsrd/tools.html -There are also a number of IP management tools available. Data +Two that come to mind are MIT's WebDNS and the University of Utah tools. + +There are also a number of commercial IP management tools available. Data Communications had an article on the subject in Sept/Oct of 1996. The tools mentioned in the article and a few others may be found at the following sites: @@ -950,6 +1252,7 @@ following sites: * NetID, http://www.isotro.com * QIP, http://www.quadritek.com * UName-It, http://www.esm.com +* dnsboss, http://www.dnsboss.com =============================================================================== @@ -961,13 +1264,16 @@ Section 4. DEFINITIONS Q4.4 My server does not consider itself authoritative ! Q4.5 NS records don't configure servers as authoritative ? Q4.6 underscore in host-/domainnames - Q4.7 What is lame delegation ? - Q4.8 How can I see if the server is "lame" ? - Q4.9 What does opt-class field in a zone file do? - Q4.10 Top level domains - Q4.11 Classes of networks - Q4.12 What is CIDR ? - Q4.13 What is the rule for glue ? + Q4.7 How do I turn the "_" check off ? + Q4.8 What is lame delegation ? + Q4.9 How can I see if the server is "lame" ? + Q4.10 What does opt-class field in a zone file do? + Q4.11 Top level domains + Q4.12 US Domain + Q4.13 Classes of networks + Q4.14 What is CIDR ? + Q4.15 What is the rule for glue ? + Q4.16 What is a stub record/directive ? ----------------------------------------------------------------------------- @@ -990,7 +1296,9 @@ someone who's just starting along a TCP/IP path. Question 4.2. What are slaves and forwarders ? -Date: Thu Dec 1 10:32:43 EST 1994 +Date: Mon Jan 18 22:14:30 EST 1999 + +Parts of this section were contributed by Albert E. Whale. "forwarders" is a list of NS records that are _prepended_ to a list of NS records to query if the data is not available locally. This allows a rich @@ -1001,6 +1309,28 @@ distributed sites to increase the chance that you don't have to go off to the Internet to get an IP address. (sometimes for addresses across the street!) +If you have a "forwarders" line, you will only consult the root servers if +you get no response from the forwarder. If you get a response, and it +says there's no such host, you'll return that answer to the client -- you +won't consult the root. + +The "forwarders" statement is found in the /etc/named.boot file which is +read each time DNS is started. The command format is as follows: + +forwarders <IP Address #1> [<IP Address #2>, .... <IP Address #n>] +The "forwarders" line specifies the IP Address(es) of DNS servers that +accept queries from other servers. + +The "forwarders" command is used to cause a large site wide cache to be +created on a master and reduce traffic over the network to other servers. +It can also be used to allow DNS servers to answer Internet name queries +which do not have direct access to the Internet. + +The forwarders command is used in conjunction with the traditional DNS +configuration which requires that a NS entry be found in the cache file. +The DNS server can support the forwarders command if the server is able to +resolve entries that are not part of the local server's cache. + "slave" modifies this to say to replace the list of NS records with the forwarders entry, instead of prepending to it. This is for firewalled environments, where the nameserver can't directly get out to the Internet @@ -1010,6 +1340,18 @@ at all. "forwarders". "forwarders" is an entry in named.boot, and therefore applies only to the nameserver (not to resolvers). +The "slave" command is usually found immediately following the forwarders +command in the boot file. It is normally used on machines that are +running DNS but do not have direct access to the Internet. By using the +"forwarders" and "slave" commands the server can contact another DNS +server which can answer DNS queries. The "slave" option may also be used +behind a firewall where there may not be a network path available to +directly contact nameservers listed in the cache. + +Additional information on slave servers may be found in the BOG (BIND +Operations Guide http://www.isc.org/bind.html) section 6.1.8 (Slave +Servers). + ----------------------------------------------------------------------------- Question 4.3. When is a server authoritative? @@ -1039,6 +1381,7 @@ The question was: that this is because the service provider has not given us control over the IP numbers in our own domain, and so while the machine listed has an A record for an address, there is no corresponding PTR record. + With the answer: That's possible too, but is unrelated to the first question. @@ -1050,6 +1393,7 @@ With the answer: A server may consider itself non-authoritative even though it's a primary if there is a syntax error in the zone (see the list in the previous question). + ----------------------------------------------------------------------------- Question 4.5. NS records don't configure servers as authoritative ? @@ -1064,7 +1408,7 @@ but not authoritative -- that's a "lame delegation") Question 4.6. underscore in host-/domainnames -Date: Mon Aug 5 22:39:02 EDT 1996 +Date: Sat Aug 9 20:30:37 EDT 1997 The question is "Are underscores are allowed in host- or domainnames" ? RFC 1033 allows them. @@ -1114,6 +1458,7 @@ From RFC 1123, Section 2.1 the relaxation in [RFC 1123].) Note there are some Internet hostnames which violate this rule (411.org, 1776.com). + Finally, one more piece of information (From Paul Vixie): RFC 1034 says only that domain names have characters in them, though it @@ -1127,17 +1472,33 @@ Finally, one more piece of information (From Paul Vixie): <domainname> ::= <hname> <hname> ::= <name>*["."<name>] - <name> ::= <let>[*[<let-or-digit-or-hyphen>]<let-or-digit>] - + <name> ::= <let>[*[<let-or-digit-or-hyphen>]<let-or-digit>] + There has been a recent update on this subject which may be found in ftp.internic.net : /internet-drafts/draft-andrews-dns-hostnames-03.txt. +An RFC Internet standards track protocol on the subject "Clarifications to +the DNS Specification" may be found in RFC 2181. This updates RFC 1034, +RFC 1035, and RFC 1123. + +----------------------------------------------------------------------------- + +Question 4.7. How do I turn the "_" check off ? + +Date: Mon Nov 10 22:54:54 EST 1997 + +In the 4.9.5-REL and greater, you may turn this feature off with the +option "check-names" in the named boot file. This option is documented +in the named manual page. The syntax is: + + check-names primary warn + ----------------------------------------------------------------------------- -Question 4.7. What is lame delegation ? +Question 4.8. What is lame delegation ? -Date: Mon Aug 5 22:45:02 EDT 1996 +Date: Tue Mar 11 21:51:21 EST 1997 Two things are required for a lame delegation: @@ -1156,7 +1517,7 @@ correct) data for that zone, and it must be answering authoritatively to resolver queries for that zone. (The AA bit is set in the flags section) The "classic" lame delegation case is when nameserver X is delegated as -authoritative for domain Y, yet when you ask Y about X, it returns +authoritative for domain Y, yet when you ask X about Y, it returns non-authoritative data. Here's an example that shows what happens most often (using dig, dnswalk, @@ -1185,9 +1546,9 @@ updates later never let the folks at the NIC know about it. ----------------------------------------------------------------------------- -Question 4.8. How can I see if the server is "lame" ? +Question 4.9. How can I see if the server is "lame" ? -Date: Mon Aug 5 22:45:02 EDT 1996 +Date: Mon Sep 14 22:09:35 EDT 1998 Go to the authoritative servers one level up, and ask them who they think is authoritative, and then go ask each one of those delegees if they think @@ -1198,13 +1559,11 @@ You can then send off a message to the administrators of the level above. The 'lamers' script from Byran Beecher really takes care of all this for you. It parses the lame delegation notices from BIND's syslog and summarizes them for you. It may be found in the contrib section of the -latest BIND distribution. The latest version is available for anonymous -ftp from +latest BIND distribution. The latest version is included in the BIND +distribution. -terminator.cc.umich.edu : /dns/lame-delegations/ - - If you want to actively check for lame delegations, you can use 'doc' -and 'dnswalk'. You can check things manually with 'dig'. +If you want to actively check for lame delegations, you can use 'doc' and +'dnswalk'. You can check things manually with 'dig'. The InterNIC recently announced a new lame delegation that will be in effect on 01 October, 1996. Here is a summary: @@ -1235,13 +1594,13 @@ effect on 01 October, 1996. Here is a summary: postal mail and all whois contacts will be notified by e-mail, with instructions for taking corrective action. * Following 60 days in a "hold" status, the name will be deleted and made - available for reregistration. Notification of the final deletion will + available for re-registration. Notification of the final deletion will be sent to the name server and domain name contacts listed in the NIC database. ----------------------------------------------------------------------------- -Question 4.9. What does opt-class field in a zone file do? +Question 4.10. What does opt-class field in a zone file do? Date: Thu Dec 1 11:10:39 EST 1994 @@ -1252,13 +1611,15 @@ This field is the address class. From the BOG - internet information. Limited support is included for the HS class, which is for MIT/Athena ``Hesiod'' information. + ----------------------------------------------------------------------------- -Question 4.10. Top level domains +Question 4.11. Top level domains -Date: Fri Dec 6 15:13:35 EST 1996 +Date: Mon Jun 15 22:25:57 EDT 1998 + +RFC 1591 defines the term "Top Level Domain" (TLD) as: -A section from RFC 1591: 2. The Top Level Structure of the Domain Names @@ -1269,219 +1630,135 @@ A section from RFC 1591: letter country codes from ISO-3166. It is extremely unlikely that any other TLDs will be created. ------ +The unnamed root-level domain (usually denoted as ".") is currently being +maintained by the Internet Assigned Number Authority (IANA). Beside that, +IANA is currently in charge for some other vital functions on the Internet +today, including global distribution of address space, autonomous system +numbers and all other similar numerical constants, necessary for proper +TCP/IP protocol stack operation (e.g. port numbers, protocol identifiers +and so on). According to the recent proposals of the US Government, better +known as "Green Paper": + +http://www.ntia.doc.gov/ntiahome/domainname/domainname130.htm + +IANA will gradually transfer its current functions to a new non-profit +international organization, which won't be influenced exclusively by the +US Government. This transfer will occur upon the final version of the +"Green Paper" has been issued. + +Currently, the root zone contains five categories of top level domains: + -[ Ed note: the ISO-3166 country codes may be found for anonymous ftp +(1) World wide gTLDs - maintained by the InterNIC: + - COM - Intended for commercial entities - companies, corporations etc. + - NET - Intended for Internet service providers and similar entities. + - ORG - Intended for other organizations, which don't fit to the above. + +(2) Special status gTLDs + - EDU - Restricted to 4 year colleges and universities only. + - INT - Intended for international treaties and infrastructural databases. + +(3) US restricted gTLDs + - GOV - Intended for US Government offices and agencies. + - MIL - Intended for the US military. + +(4) ISO 3166 country code TLDs (ccTLDs) - FR, CH, SE etc. + +(5) Reverse TLD - IN-ADDR.ARPA. + +Generic TLDs COM, NET, ORG and EDU are currently being maintained by the +InterNIC. IANA maintains INT and IN-ADDR.ARPA. The US Government and US +Army maintain their TLDs independently. + +The application form for the EDU, COM, NET, ORG, and GOV domains may be +found for anonymous ftp from: + +internic.net : /templates/domain-template.txt + +The country code domains (ISO 3166 based - example, FR, NL, KR, US) are +each organized by an administrator for that country. These administrators +may further delegate the management of portions of the naming tree. These +administrators are performing a public service on behalf of the Internet +community. The ISO-3166 country codes may be found for anonymous ftp from: * ftp.isi.edu : /in-notes/iana/assignments/country-codes * ftp.ripe.net : /iso3166-codes -] +More information about particular country code TLDs may be found at: + +* http://www.iana.org/ +* http://www.UNINETT.NO/navn/domreg.html +* http://www.ripe.net/centr/tld.html +* http://www.nic.fr/Guides/AutresNics/ +* sipb.mit.edu : /pub/whois/whois-servers.list + +Contrary to the initial plans, stated in the RFC 1591, not to include +more TLDs in the near future, some other forums don't share that opinion. + +The International Ad Hoc Committee (IAHC) ({http://www.iahc.org/) was was +selected by the IAB, IANA, ITU, INTA, WIPO, and ISOC to study and +recommend changes to the existing Domain Name System (DNS). The IAHC +recommended the following regarding TLD's on February 4, 1997: + + In order to cope with the great and growing demand for Internet + addresses in the generic top level domains, the generic Top Level + Domain (gTLD) MoU calls for the establishment of seven new gTLDs in + addition to the existing three. These will be .FIRM, .STORE, .WEB, + .ARTS, .REC, .NOM and .INFO. In addition, the MoU provides for the + setting up of an initial 28 new registrars around the world four + from each of seven world regions. More registrars will be added as + operational and administrative issues are worked out. Registrars + will compete on a global basis, and users will be able shop around + for the registrar which offers them the best arrangement and price. + Users will also be able to change registrar at any time while + retaining the same domain address, thus ensuring global portability. -[ Ed note: Since the Internic started charging for registration services, -(and for other reasons) there are a number of groups that want to offer -an alternative to registering a domain under a "standard" TLD. More -information on some of these options may be found at: +The full text of the recommendation may be found at: -* http://www.alternic.net/ -* http://www.eu.org/ -* http://www.ml.org/mljoin.html +http://www.iahc.org/draft-iahc-recommend-00.html. + +Beside IAHC, several other forums have been created, by people willing to +change the current addressing structure in the global network. Some of +them may be found at: + +* http://www.alternic.net/ +* http://www.eu.org/ +* http://www.webtld.com/ You may participate in one of the discussions on iTLD proposals at * To sign up: http://www.newdom.com/lists * Old postings: http://www.newdom.com/archive -] - ------ - - ... - Under each TLD may be created a hierarchy of names. Generally, under - the generic TLDs the structure is very flat. That is, many - organizations are registered directly under the TLD, and any further - structure is up to the individual organizations. - - In the country TLDs, there is a wide variation in the structure, in - some countries the structure is very flat, in others there is - substantial structural organization. In some country domains the - second levels are generic categories (such as, AC, CO, GO, and RE), - in others they are based on political geography, and in still others, - organization names are listed directly under the country code. The - organization for the US country domain is described in RFC 1480. - - Each of the generic TLDs was created for a general category of - organizations. The country code domains (for example, FR, NL, KR, - US) are each organized by an administrator for that country. These - administrators may further delegate the management of portions of the - naming tree. These administrators are performing a public service on - behalf of the Internet community. Descriptions of the generic - domains and the US country domain follow. - - Of these generic domains, five are international in nature, and two - are restricted to use by entities in the United States. - - World Wide Generic Domains: - - COM - This domain is intended for commercial entities, that is - companies. This domain has grown very large and there is - concern about the administrative load and system performance if - the current growth pattern is continued. Consideration is - being taken to subdivide the COM domain and only allow future - commercial registrations in the subdomains. - - EDU - This domain was originally intended for all educational - institutions. Many Universities, colleges, schools, - educational service organizations, and educational consortia - have registered here. More recently a decision has been taken - to limit further registrations to 4 year colleges and - universities. Schools and 2-year colleges will be registered - in the country domains (see US Domain, especially K12 and CC, - below). - - NET - This domain is intended to hold only the computers of network - providers, that is the NIC and NOC computers, the - administrative computers, and the network node computers. The - customers of the network provider would have domain names of - their own (not in the NET TLD). - - ORG - This domain is intended as the miscellaneous TLD for - organizations that didn't fit anywhere else. Some non- - government organizations may fit here. - - INT - This domain is for organizations established by international - treaties, or international databases. - - United States Only Generic Domains: - - GOV - This domain was originally intended for any kind of government - office or agency. More recently a decision was taken to - register only agencies of the US Federal government in this - domain. State and local agencies are registered in the country - domains (see US Domain, below). - - MIL - This domain is used by the US military. - - Example country code Domain: - - US - As an example of a country domain, the US domain provides for - the registration of all kinds of entities in the United States - on the basis of political geography, that is, a hierarchy of - <entity-name>.<locality>.<state-code>.US. For example, - "IBM.Armonk.NY.US". In addition, branches of the US domain are - provided within each state for schools (K12), community - colleges (CC), technical schools (TEC), state government - agencies (STATE), councils of governments (COG),libraries - (LIB), museums (MUS), and several other generic types of - entities (see RFC 1480 for details). - - -A section from RFC 1480: - - 2. NAMING STRUCTURE - - The US Domain hierarchy is based on political geography. The - basic name space under US is the state name space, then the - "locality" name space, (like a city, or county) then - organization or computer name and so on. - - For example: - - BERKELEY.CA.US - PORTLAND.WA.US - - There is of course no problem with running out of names. - - The things that are named are individual computers. - - If you register now in one city and then move, the database can - be updated with a new name in your new city, and a pointer can - be set up from your old name to your new name. This type of - pointer is called a CNAME record. - - The use of unregistered names is not effective and causes problems - for other users. Inventing your own name and using it without - registering is not a good idea. - - In addition to strictly geographically names, some special names - are used, such as FED, STATE, AGENCY, DISTRICT, K12, LIB, CC, - CITY, and COUNTY. Several new name spaces have been created, - DNI, GEN, and TEC, and a minor change under the "locality" name - space was made to the existing CITY and COUNTY subdomains by - abbreviating them to CI and CO. A detailed description - follows. - - Below US, Parallel to States: - ----------------------------- - - "FED" - This branch may be used for agencies of the federal - government. For example: <org-name>.<city>.FED.US - - "DNI" - DISTRIBUTED NATIONAL INSTITUTES - The "DNI" branch was - created directly under the top-level US. This branch is to be used - for distributed national institutes; organizations that span state, - regional, and other organizational boundaries; that are national in - scope, and have distributed facilities. For example: - <org-name>.DNI.US. - - Name Space Within States: - ------------------------ - - "locality" - cities, counties, parishes, and townships. Subdomains - under the "locality" would be like CI.<city>.<state>.US, - CO.<county>.<state>.US, or businesses. For example: - Petville.Marvista.CA.US. - - "CI" - This branch is used for city government agencies and is a - subdomain under the "locality" name (like Los Angeles). For example: - Fire-Dept.CI.Los-Angeles.CA.US. - - "CO" - This branch is used for county government agencies and is a - subdomain under the "locality" name (like Los Angeles). For example: - Fire-Dept.CO.San-Diego.CA.US. - - "K12" - This branch may be used for public school districts. A - special name "PVT" can be used in the place of a school district name - for private schools. For example: <school-name>.K12.<state>.US and - <school-name>.PVT.K12.<state>.US. - - "CC" - COMMUNITY COLLEGES - This branch was established for all state - wide community colleges. For example: <school-name>.CC.<state>.US. - - "TEC" - TECHNICAL AND VOCATIONAL SCHOOLS - The branch "TEC" was - established for technical and vocational schools and colleges. For - example: <school-name>.TEC.<state>.US. - - "LIB" - LIBRARIES (STATE, REGIONAL, CITY, COUNTY) - This branch may - be used for libraries only. For example: <lib-name>.LIB.<state>.US. - - "STATE" - This branch may be used for state government agencies. For - example: <org-name>.STATE.<state>.US. - - "GEN" - GENERAL INDEPENDENT ENTITY - This branch is for the things - that don't fit easily into any other structure listed -- things that - might fit in to something like ORG at the top-level. It is best not - to use the same keywords (ORG, EDU, COM, etc.) that are used at the - top-level to avoid confusion. GEN would be used for such things as, - state-wide organizations, clubs, or domain parks. For example: - <org-name>.GEN.<state-code>.US. +----------------------------------------------------------------------------- + +Question 4.12. US Domain + +Date: Mon Jun 15 22:25:57 EDT 1998 + +Information on the US domain registration services may be found at +http://www.isi.edu/in-notes/usdnr/. The application form for the US domain may be found: * for anonymous ftp from internic.net : /templates/us-domain-template.txt * http://www.isi.edu/us-domain/ -The application form for the EDU, COM, NET, ORG, and GOV domains may be -found for anonymous ftp from: +A WWW interface to a whois server for the US domain may be found at +http://www.isi.edu/in-notes/usdnr/rwhois.html. This whois server may be +used with the command + % whois -h nii-server.isi.edu k12.ks.us + OR + % whois k12.ks.us@nii-server.isi.edu + (depending on your version of whois). -internic.net : /templates/domain-template.txt ----------------------------------------------------------------------------- -Question 4.11. Classes of networks +Question 4.13. Classes of networks -Date: Wed Sep 4 22:59:27 EDT 1996 +Date: Sun Feb 9 22:36:21 EST 1997 The usage of 'classes of networks' (class A, B, C) are historical and have been replaced by CIDR blocks on the Internet. That being said... @@ -1502,7 +1779,7 @@ Class field field Internet Protocol address in binary Ranges ============================================================================ A 7 24 0NNNNNNN.HHHHHHHH.HHHHHHHH.HHHHHHHH 1-127.x.x.x B 14 16 10NNNNNN.NNNNNNNN.HHHHHHHH.HHHHHHHH 128-191.x.x.x - C 22 8 110NNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH 192-223.x.x.x + C 21 8 110NNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH 192-223.x.x.x D NOTE 1 1110xxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx 224-239.x.x.x E NOTE 2 11110xxx.xxxxxxxx.xxxxxxxx.xxxxxxxx 240-247.x.x.x @@ -1517,7 +1794,7 @@ Class field field Internet Protocol address in binary Ranges ----------------------------------------------------------------------------- -Question 4.12. What is CIDR ? +Question 4.14. What is CIDR ? Date: Tue Nov 5 23:47:29 EST 1996 @@ -1539,9 +1816,9 @@ Also please see the CIDR FAQ at ----------------------------------------------------------------------------- -Question 4.13. What is the rule for glue ? +Question 4.15. What is the rule for glue ? -Date: Fri Apr 28 13:31:24 EDT 1995 +Date: Mon Sep 14 22:04:42 EDT 1998 A glue record is an A record for a name that appears on the right-hand side of a NS record. So, if you have this: @@ -1597,6 +1874,66 @@ RFC 1537 says it quite nicely: problem that wrong glue records could enter secondary servers in a zone transfer. +In response to a question on glue records, Mark Andrews stated the +following: + + BIND's current position is somewhere between the overly restrictive + position given above and the general allow all glue position that + prevailed in 4.8.x. + + BIND's current break point is below the *parent* zone, i.e. it + allows glue records from sibling zones of the zone being + delegated. + + The following applies for glue + + Below child: always required + Below parent: often required + Elsewhere: seldom required + + The main reason for resticting glue is not that it in not + required but that it is impossible to track down *bad* glue if + you allow glue that falls into "elsewhere". Ask UUNET or any + other large provider the problems that BIND 4.8.x general glue + rules caused. If you want to examine a true data virus you need + only look at the A records for ns.uu.net. + + The "below parent" and "below child" both allow you to find bad + glue records. Below the parent has a bigger search space to that + of below the child but is still managable. + + It is believed that the elsewhere cases are sufficiently rare + that they can be ignored in practice and if detected can be worked + around by creating be creating A records for the nameservers + that fall into one of the other two cases. This requires + resolvers to correctly lookup missing glue and requery when they + have this glue. BIND does *not* do this correctly at present. +----------------------------------------------------------------------------- + +Question 4.16. What is a stub record/directive ? + +Date: Mon Nov 10 22:45:33 EST 1997 + +Q: What is the difference, or advantages, of using a stub record versus +using an NS record and a glue record in the zone file? + +Cricket Liu responds, + + "Stub" is a directive, not a record (well, it's a directive in BIND 4; +in BIND 8, it's an option to the "zone" statement). The stub directive +configures your name server to do a zone transfer just as a secondary +master name server would, but to use just the NS records. It's a +convenient way for a parent name server to keep track of the servers +for subzones. + +and Barry Margolin adds, + + Using stub records ensures that the NS records in the parent will be +consistent with the NS records in the child. If you have to enter NS +records manually, you run the possibility that the child will change his +servers without telling you. Then you'll give out incorrect delegation +information, possibly resulting in the infamous "lame delegation". + The remainder of the FAQ is in the next part (Part 2 of 2). diff --git a/contrib/bind/doc/misc/FAQ.2of2 b/contrib/bind/doc/misc/FAQ.2of2 index 40e1649..f9594ee 100644 --- a/contrib/bind/doc/misc/FAQ.2of2 +++ b/contrib/bind/doc/misc/FAQ.2of2 @@ -1,28 +1,27 @@ -Newsgroups: comp.protocols.tcp-ip.domains,comp.answers,news.answers -Path: vixie!news1.digital.com!su-news-hub1.bbnplanet.com!news.bbnplanet.com!cam-news-hub1.bbnplanet.com!news.mathworks.com!news.kei.com!uhog.mit.edu!rutgers!njitgw.njit.edu!hertz.njit.edu!cdp2582 +Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!news.kodak.com!news-nysernet-16.sprintlink.net!news-in-east1.sprintlink.net!news.sprintlink.net!newshub.northeast.verio.net!news.idt.net!newsin.iconnet.net!IConNet!not-for-mail From: cdp2582@hertz.njit.edu (Chris Peckham) +Newsgroups: comp.protocols.tcp-ip.domains,comp.answers,news.answers,comp.protocols.dns.bind Subject: comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ) (Part 2 of 2) -Message-ID: <cptd-faq-2-849940949@njit.edu> +Supersedes: <cptd-faq-2-911181667@njit.edu> Followup-To: comp.protocols.tcp-ip.domains -Originator: cdp2582@hertz.njit.edu -Keywords: BIND,DOMAIN,DNS -Sender: news@njit.edu -Supersedes: <cptd-faq-2-847336183@njit.edu> -Nntp-Posting-Host: hertz.njit.edu -X-Posting-Frequency: posted during the first week of each month -Reply-To: domain-faq@njit.edu (comp.protocols.tcp-ip.domains FAQ comments) Organization: NJIT.EDU - New Jersey Institute of Technology, Newark, NJ, USA -References: <cptd-faq-1-849940949@njit.edu> -Date: Sat, 7 Dec 1996 06:42:49 GMT +Lines: 2050 +Sender: cdp@chipmunk.iconnet.net Approved: news-answers-request@MIT.EDU -Expires: Sat 11 Jan 97 02:42:29 EDT -Lines: 1277 -Xref: vixie comp.protocols.tcp-ip.domains:12905 comp.answers:22441 news.answers:85683 +Distribution: world +Expires: Wednesday, 20 Jan 99 11:47:26 EDT +Message-ID: <cptd-faq-2-913826846@njit.edu> +References: <cptd-faq-1-913826846@njit.edu> +Reply-To: domain-faq@pfmc.net (comp.protocols.tcp-ip.domains FAQ comments) +Keywords: BIND,DOMAIN,DNS +X-Posting-Frequency: posted during the first week of each month +Date: Wed, 16 Dec 1998 16:47:32 GMT +NNTP-Posting-Host: chipmunk.iconnet.net +NNTP-Posting-Date: Wed, 16 Dec 1998 11:47:32 EDT +Xref: senator-bedfellow.mit.edu comp.protocols.tcp-ip.domains:22180 comp.answers:34269 news.answers:146737 comp.protocols.dns.bind:6040 -Posted-By: auto-faq 3.1.1.2 +Posted-By: auto-faq 3.3 beta (Perl 5.004) Archive-name: internet/tcp-ip/domains-faq/part2 -Revision: 1.13 1996/12/07 06:42:15 - (Continued from Part 1, where you'll find the introduction and table of contents.) @@ -32,27 +31,48 @@ table of contents.) Section 5. CONFIGURATION - Q5.1 Changing a Secondary server to a Primary server ? - Q5.2 Moving a Primary server to another server - Q5.3 How do I subnet a Class B Address ? - Q5.4 Subnetted domain name service - Q5.5 Recommended format/style of DNS files - Q5.6 DNS on a system not connected to the Internet - Q5.7 Multiple Domain configuration - Q5.8 wildcard MX records - Q5.9 How do you identify a wildcard MX record ? - Q5.10 Why are fully qualified domain names recommended ? - Q5.11 Distributing load using named - Q5.12 Order of returned records - Q5.13 resolv.conf - Q5.14 How do I delegate authority for sub-domains ? - Q5.15 DNS instead of NIS on a Sun OS 4.1.x system - Q5.16 Patches to add functionality to BIND - Q5.17 How to serve multiple domains from one server + Q5.1 Upgrading from 4.9.x to 8.x + Q5.2 Changing a Secondary server to a Primary server ? + Q5.3 Moving a Primary server to another server + Q5.4 How do I subnet a Class B Address ? + Q5.5 Subnetted domain name service + Q5.6 Recommended format/style of DNS files + Q5.7 DNS on a system not connected to the Internet + Q5.8 Multiple Domain configuration + Q5.9 wildcard MX records + Q5.10 How do you identify a wildcard MX record ? + Q5.11 Why are fully qualified domain names recommended ? + Q5.12 Distributing load using named + Q5.13 Round robin IS NOT load balancing + Q5.14 Order of returned records + Q5.15 resolv.conf + Q5.16 How do I delegate authority for sub-domains ? + Q5.17 DNS instead of NIS on a Sun OS 4.1.x system + Q5.18 Patches to add functionality to BIND + Q5.19 How to serve multiple domains from one server + Q5.20 hostname and domain name the same + Q5.21 Restricting zone transfers + Q5.22 DNS in firewalled and private networks + Q5.23 Different DNS answers for same RR + +----------------------------------------------------------------------------- + +Question 5.1. Upgrading from 4.9.x to 8.x + +Date: Wed Jul 9 22:00:07 EDT 1997 + +Q: Help ! How do I use the Completely new configuration syntax in BIND 8 +? I've attempted to upgrade bind from 4.9.5 to 8.1, but unfortunately it +didn't seem to like the same config/zone files.. is this normal or should +8.1 be able to read the same files as 4.9.5 did? + +A: If you then look in doc/html/config.html, you will find directions on +how to convert a 4.9.x .boot file to 8.x .conf file, as well as directions +on how to utilize all of the new features of the 8.x .conf file format. ----------------------------------------------------------------------------- -Question 5.1. Changing a Secondary server to a Primary server ? +Question 5.2. Changing a Secondary server to a Primary server ? Date: Fri Jul 5 23:54:35 EDT 1996 @@ -73,7 +93,7 @@ receive the request. ----------------------------------------------------------------------------- -Question 5.2. Moving a Primary server to another server +Question 5.3. Moving a Primary server to another server Date: Fri Jul 5 23:54:35 EDT 1996 @@ -83,13 +103,13 @@ the root servers takes place after the request has been made to the InterNIC. If you are moving to a different ISP which will change your IP's, the -recommened setting for the SOA that would minimize problems for your name +recommend setting for the SOA that would minimize problems for your name servers using the old settings can be done as follows: Gradually lower the TTL value in your SOA (that's the last one of the five numbers) to always be equal to the time left until you change over. (assuming that none of your resource records have individual TTL's set, if -so, do likewise witht them.) So, the day before, lower to 43200 seconds +so, do likewise with them.) So, the day before, lower to 43200 seconds (12 hours). Then lower every few hours to be the time remaining until the change-over. So, an hour before the change, you may just want to lower it all the way to 60 seconds or so. That way no one can cache @@ -111,9 +131,9 @@ Also see the answer to the "How can I change the IP address of our server ----------------------------------------------------------------------------- -Question 5.3. How do I subnet a Class B Address ? +Question 5.4. How do I subnet a Class B Address ? -Date: Fri Apr 28 13:34:52 EDT 1995 +Date: Mon Jun 15 23:21:39 EDT 1998 That you need to subnet at all is something of a misconception. You can also think of a class B network as giving you 65,534 individual hosts, and @@ -146,25 +166,102 @@ anything from 255.0.0.0 to 255.255.255.252. You'll probably be looking at 1219 discusses the issue of subnetting very well and leaves the network administrator with a large amount of flexibility for future growth. ------------------------------------------------------------------------------ +(The following section was contributed by Berislav Todorovic.) + +A user or an ISP, having a whole /16 sized IP block (former "Class B") +network assigned/allocated, has the responsibility of maintaining the +reverse domain for the whole network. That policy is currently applied by +all regional Internet registries (RIPE NCC, ARIN, APNIC). In other words, +if you're assigned a whole "B class" (say, 10.91/16), you're in charge for +the whole 91.10.IN-ADDR.ARPA zone. This zone may be organized using two +methods, according to the network topology being in use. + +The first, "brute force" method is to place all PTR records directly into +a single zone file. Example: + + $origin 91.10.in-addr.arpa + @ IN SOA (usual stuff) + IN NS ns1.mydomain.com. + IN NS ns2.mydomain.com. + + 1.1 IN PTR one-1.mydomain.com. ; ---> 10.91.1.1 + 2.1 IN PTR one-2.mydomain.com. ; ---> 10.91.1.2 + ... + 254.1 IN PTR one-254.mydomain.com. ; ---> 10.91.1.254 + 1.2 IN PTR two-1.mydomain.com. ; ---> 10.91.2.1 + +While this approach may look simple in the networks with a central +management authority (say, campus networks), maintaining such a zone file +becomes more and more difficult in the more complex environment. Thus, +this becomes a bad method. Furthermore, if you're an ISP, it is more +likely that a /16 network will be subnetted and its subnets be assigned to +your customers. + +Therefore, another "smarter" approach is to delegate portions of the +reverse domain 91.10.IN-ADDR.ARPA to the end users of the subnets of +10.91/16. There would only be NS records in the zone file, while PTR +record insertion would be the responsibility of the end users. For +example, if you assign: + + * 10.91.0.0/22 (10.91.0.0 - 10.91.3.255) to Customer-A.COM + * 10.91.4.0/23 (10.91.4.0 - 10.91.5.255) to Customer-B.COM + * 10.91.7.0/24 (10.91.7.0 - 10.91.7.255) to Customer-C.COM + +then each customer will maintain zone files for the reverse domains of +their own networks (say, Customer C will maintain the zone +7.91.10.IN-ADDR.ARPA, customer B their 2 zones, Customer A their own 4 +zones). In this constellation, the zone file for reverse domain +91.10.IN-ADDR.ARPA will look like this: + + $origin 91.10.in-addr.arpa + @ IN SOA (usual stuff) + IN NS ns1.mydomain.com. + IN NS ns2.mydomain.com. + + ; --- Customer-A.COM -Question 5.4. Subnetted domain name service + + 0 IN NS ns.customer-A.com. + IN NS ns1.mydomain.com. + 1 IN NS ns.customer-A.com. + IN NS ns1.mydomain.com. + 2 IN NS ns.customer-A.com. + IN NS ns1.mydomain.com. + 3 IN NS ns.customer-A.com. + IN NS ns1.mydomain.com. -Date: Mon Aug 5 23:00:16 EDT 1996 + ; --- Customer-B.COM -If you are looking for some examples of handling subnetted class C -networks as separate DNS domains, see the Internet Draft + 4 IN NS ns.customer-B.com. + IN NS ns1.mydomain.com. + 5 IN NS ns.customer-B.com. + IN NS ns1.mydomain.com. -draft-ietf-cidrd-classless-inaddr-02.txt + ; --- Customer-C.COM -for more information. This file is available for anonymous ftp at + 7 IN NS ns.customer-C.com. + IN NS ns1.mydomain.com. -ds.internic.net : -/internet-drafts/draft-ietf-cidrd-classless-inaddr-02.txt +The zone file of the Customer C reverse domain would look like this: -or other IETF mirror sites (ftp.is.ca.za [Africa], nic.nordu.net [Europe], -munnari.oz.au [Pacific Rim], ds.internic.net [US East Coast], or -ftp.isi.edu [US West Coast]). + $origin 7.91.10.in-addr.arpa + @ IN SOA (usual stuff) + IN NS ns.customer-C.com. + IN NS ns1.mydomain.com. + + 1 IN PTR one.customer-C.com. + 2 IN PTR two.customer-C.com. + 3 IN PTR three.customer-C.com. + ... + +----------------------------------------------------------------------------- + +Question 5.5. Subnetted domain name service + +Date: Thu Jul 16 10:50:41 EDT 1998 + +If you are looking for some examples of handling subnetted class C +networks as separate DNS domains, see RFC 2317 for more information. Details follow- You need to delegate down to the fourth octet, so you will have one domain per IP address ! Here is how you can subdelegate a @@ -212,11 +309,11 @@ And similar for the two.1.1.192.in-addr.arpa delegated domain. There is additional documentation and a perl script that may be used for this purpose available for anonymous ftp from: -ftp.vix.com : /pub/bind/contrib/gencidrzone +ftp.is.co.za : /networking/ip/dns/gencidrzone/gencidrzone ----------------------------------------------------------------------------- -Question 5.5. Recommended format/style of DNS files +Question 5.6. Recommended format/style of DNS files Date: Sun Nov 27 23:32:41 EST 1994 @@ -294,7 +391,7 @@ This answer is quoted from an article posted by Paul Vixie: This format will last us until 2147 A.D. at which point I expect a better solution will have been found :-). (Note that it would last until 4294 A.D. except that there are some old BINDs out there that - use a signed quantity for representing serial number interally; I + use a signed quantity for representing serial number internally; I suppose that as long as none of these are still running after 2047 A.D., that we can use the above serial number format until 4294 A.D., at which point a better solution will HAVE to be found.) @@ -346,7 +443,7 @@ $ORIGIN 1.16.in-addr.arpa. ============= It is usually pretty hard to keep your forward and reverse zones in - synch. You can avoid that whole problem by just using "h2n" (see + sync. You can avoid that whole problem by just using "h2n" (see the ORA book, DNS and BIND, and its sample toolkit, included in the BIND distribution or on ftp.uu.net (use the QUOTE SITE EXEC INDEX command there to find this -- I never can remember where it's at). @@ -382,7 +479,7 @@ pc.home A 192.5.5.3 ----------------------------------------------------------------------------- -Question 5.6. DNS on a system not connected to the Internet +Question 5.7. DNS on a system not connected to the Internet Date: Sun Nov 27 23:32:41 EST 1994 @@ -406,7 +503,7 @@ and a resolver that did configurable /etc/hosts fallback. ----------------------------------------------------------------------------- -Question 5.7. Multiple Domain configuration +Question 5.8. Multiple Domain configuration Date: Fri Dec 2 15:40:49 EST 1994 @@ -425,7 +522,7 @@ You can also do the same thing with multiple A records. ----------------------------------------------------------------------------- -Question 5.8. wildcard MX records +Question 5.9. wildcard MX records Date: Sun Nov 27 23:32:41 EST 1994 @@ -456,7 +553,7 @@ It just doesn't work. ----------------------------------------------------------------------------- -Question 5.9. How do you identify a wildcard MX record ? +Question 5.10. How do you identify a wildcard MX record ? Date: Thu Dec 1 11:10:39 EST 1994 @@ -477,7 +574,7 @@ RFC 974 explains this pretty well. ----------------------------------------------------------------------------- -Question 5.10. Why are fully qualified domain names recommended ? +Question 5.11. Why are fully qualified domain names recommended ? Date: Sun Nov 27 23:32:41 EST 1994 @@ -495,6 +592,7 @@ Paul Vixie likes to do it :-) He lists a few reasons - * The real reason is that not doing it violates a very useful invariant: gethostbyname(gethostname) == gethostbyaddr(primary_interface_address) + If you take an address and go "backwards" through the PTR's with it, you'll get a FQDN, and if you push that back through the A RR's, you get the same address. Or you should. Many multi-homed hosts violate this @@ -523,9 +621,9 @@ Paul Vixie likes to do it :-) He lists a few reasons - ----------------------------------------------------------------------------- -Question 5.11. Distributing load using named +Question 5.12. Distributing load using named -Date: Wed Mar 1 11:04:43 EST 1995 +Date: Thu Jul 16 10:42:05 EDT 1998 When you attempt to distribute the load on a system using named, the first response be cached, and then later queries use the cached value (This @@ -548,7 +646,7 @@ Not nice. Paul Vixie has an example of the ROUND_ROBIN code in action. Here is something that he wrote regarding his example: - >I want users to be distributed evenly among those 3 hosts. + I want users to be distributed evenly among those 3 hosts. Believe it or not :-), BIND offers an ugly way to do this. I offer for your collective amusement the following snippet from the @@ -603,9 +701,34 @@ something that he wrote regarding his example: aliases: hydra.ugly.vix.com addresses: 10.3.0.3 10.3.0.1 10.3.0.2 +Please note that this is not a recommended practice and will not work with +modern BIND unless you have the entry "multiple-cnames yes" in your +named.conf file. + ----------------------------------------------------------------------------- -Question 5.12. Order of returned records +Question 5.13. Round robin IS NOT load balancing + +Date: Mon Mar 9 22:10:51 EST 1998 + +Round robin != load balancing. It's a very crude attempt at load +balancing, and a method that is possible without breaking DNS protocols. +If a host is down that is included in a round robin list, then +connections to that particular host will fail. In addition, true load +balancing should take into consideration the actual LOAD on the system. + +Information on one such technique, implemented by Roland J. Schemers III +at Stanford, may be found at +http://www-leland.stanford.edu/~schemers/docs/lbnamed/lbnamed.html. + +Additional information may be found in RFC 1794. MultiNet for OpenVMS +also includes this feature. + +----------------------------------------------------------------------------- + +Question 5.14. Order of returned records + +Date: Tue Apr 8 20:21:02 EDT 1997 Sorting, is the *resolver's* responsibility. RFC 1123: @@ -629,11 +752,12 @@ Sorting, is the *resolver's* responsibility. RFC 1123: administrator. In BIND 4.9.x's resolver code, the "sortlist" directive in resolv.conf -can be used to configure this. +can be used to configure this. The directive may also be used in the +named.boot as well. ----------------------------------------------------------------------------- -Question 5.13. resolv.conf +Question 5.15. resolv.conf Date: Fri Feb 10 15:46:17 EST 1995 @@ -680,9 +804,9 @@ send to the loopback address). ----------------------------------------------------------------------------- -Question 5.14. How do I delegate authority for sub-domains ? +Question 5.16. How do I delegate authority for sub-domains ? -Date: Sat Dec 7 02:04:17 EST 1996 +Date: Mon Nov 10 22:57:54 EST 1997 When you start having a very big domain that can be broken into logical and separate entities that can look after their own DNS information, you @@ -724,9 +848,23 @@ The second NS line is because mackerel will be acting as secondary name server for the ucc.gu domain. Do not include this line if you are not authorative for the information included in the sub-domain. +To delegate authority for PTR records, the same concepts apply. + + stub 10.168.192.in-addr.arpa <subdomain server addr> db.192.168.10 + +may be added to your primary server's named.boot in recent versions of +bind. In other versions (and recent ones :-) ), the following lines may +be added to the db.192.168.10 zone file to perform the same function: + + xxx IN NS <server1> + xxx IN NS <server2> + xxx IN NS <server3> ; if needed +... + xxx IN NS <serverN> ; if needed + ----------------------------------------------------------------------------- -Question 5.15. DNS instead of NIS on a Sun OS 4.1.x system +Question 5.17. DNS instead of NIS on a Sun OS 4.1.x system Date: Sat Dec 7 01:14:17 EST 1996 @@ -742,9 +880,9 @@ as well as from rtfm.mit.edu in the usual place, etc. ----------------------------------------------------------------------------- -Question 5.16. Patches to add functionality to BIND +Question 5.18. Patches to add functionality to BIND -Date: Tue Nov 5 23:53:47 EST 1996 +Date: Wed Jan 14 11:57:20 EST 1998 There are others, but these are listed here: @@ -756,10 +894,16 @@ There are others, but these are listed here: * Patches for 4.9.3-REL that will support the IPv6 AAAA record format may be found at ftp.inria.fr : /network/ipv6/ + This is built into more recent versions of BIND (after 4.9.5?) + * A patch for 4.9.3-REL that will allow you to turn off forwarding of information from my server may be found at ftp.vix.com : /pub/bind/release/4.9.3/contrib/noforward.tar.gz + Also look at + + ftp.is.co.za : /networking/ip/dns/bind/contrib/noforward.tar.gz + * How do I tell a server to listen to a particular interface to listen and respond to DNS queries on ? @@ -767,9 +911,14 @@ There are others, but these are listed here: particular interface and respond to DNS queries. It may be found at an unofficial location: http://www.ultra.net/~jzp/andrews.patch.txt + This is built into BIND 8.1.1. + +* A patch to implement "selective forwarding" from Todd Aven at + http://www.dns.net/dnsrd/servers.html. + ----------------------------------------------------------------------------- -Question 5.17. How to serve multiple domains from one server +Question 5.19. How to serve multiple domains from one server Date: Tue Nov 5 23:44:02 EST 1996 @@ -803,6 +952,312 @@ multiple domains, see http://www.thesphere.com/%7Edlp/TwoServers/. +----------------------------------------------------------------------------- + +Question 5.20. hostname and domain name the same + +Date: Wed Jul 9 21:47:36 EDT 1997 + +Q: I have a subdomain sub.foobar.com. I would like to name a host +sub.foobar.com. It should also be the mail relay for all hosts in +sub.foobar.com. How do I do this ? + +A: You would add an A record for sub.foobar.com, and multiple MX records +pointing to this host (sub.foobar.com). For example: + +sub.foobar.com. IN A 1.2.3.4 ; address of host +; +foo.sub.foobar.com. IN MX 10 sub.foobar.com. +bar.sub.foobar.com. IN MX 10 sub.foobar.com. + +The host, sub.foobar.com, may also need to be to configured to understand +that mail addressed to user@sub.foobar.com and possibly other sub.foobar.com +hosts should be treated as local. + +----------------------------------------------------------------------------- + +Question 5.21. Restricting zone transfers + +Date: Wed Jan 14 12:16:35 EST 1998 + +Q: How do I restrict my zone transfers to my secondaries or other trusted +hosts? + +A: Use the 'xfrnets' directive within the named.boot file or the +'secure_zone' TXT RR within a zone file. The BOG has more information on +both of these options. + +As an example within an 4.9.x named.boot file: + + xfernets 10.1.2.0&255.255.255.0 44.66.10.0&255.255.255.0 + + +Only Nameservers on these networks will be able to do zone transfers from +the server with this configuration. + +Please note that 'secure_zone' restricts all access to the containing +zone, as well as restricting zone transfers :-) . + +BIND 8.x supports restricting zone transfers on a per-zone basis in the +named.conf file, whereas BIND 4.9.x only supports xfrnets as a global +option. + +----------------------------------------------------------------------------- + +Question 5.22. DNS in firewalled and private networks + +Date: Mon Sep 14 22:15:16 EDT 1998 + +(The following section was contributed by Berislav Todorovic) + +When talking about private networks, we distinguish between two cases: + +* Networks consisting of firewall-separated private and public subnetworks + + * Same domain name used in private and public part of the network + * Different domain names used in the public and private subnetwork + +* Closed networks, not connected the Internet at all + +* The first case of the "Same domain name", we're talking about DNS + configuration, usually referred to as "split DNS". In this case, two + different DNS servers (or two separate DNS processes on the same + multi-homed machine) have to be configured. One of them ("private DNS") + will serve the internal network and will contain data about all hosts in + the private part of the network. The other one ("public DNS") will serve + Internet users and will contain only the most necessary RR's for + Internet users (like MX records for email exchange, A and CNAME records + for public Web servers, records for other publicly accessible hosts + etc.). Both of them will be configured as primary for the same corporate + domain (e.g. DOMAIN.COM). The public DNS will be delegated with the + appropriate NIC as authoritative for domain DOMAIN.COM. + + Private DNS - resolves names from DOMAIN.COM for hosts inside the + private network. If asked for a name outside DOMAIN.COM, they should + forward the request to the public DNS (forwarders line should be used in + the boot file). They should NEVER contact a root DNS on the Internet. + The boot file for the private DNS should, therefore, be: + + primary domain.com ZONE.domain.com + primary 1.10.in-addr.arpa REV.10.1 + forwarders 172.16.12.10 + slave + Public DNS - resolves names from DOMAIN.COM for hosts on the public part + of the network. If asked for a name outside DOMAIN.COM they should + contact root DNS servers or (optionally) forward the request to a + forwarder on the ISP network. Boot file for the public DNS should be of + the form: + + primary domain.com ZONE.domain.com + primary 12.16.172.in-addr.arpa REV.172.16.12 + ... (other domains) + Zone files for domain DOMAIN.COM on the public and private DNS should + be: + + ; --- Public DNS - zone file for DOMAIN.COM + + domain.com. IN SOA ns.domain.com. hostmaster.domain.com. ( ... ) + IN NS ns.domain.com. + IN NS ns.provider.net. + IN MX 10 mail.provider.net. + + ns IN A 172.16.12.10 + www IN A 172.16.12.12 + ftp IN A 172.16.12.13 + ... + + ; --- Private DNS - zone file for DOMAIN.COM + + domain.com. IN SOA ns1.domain.com. hostmaster.domain.com. ( ... ) + IN NS ns1.domain.com. + IN NS ns2.domain.com. + wks1-1 IN A 10.1.1.1 + wks1-2 IN A 10.1.1.2 + ... + + The second case of the "Same domain name", is simpler than the previous + case: in the internal network, a separate domain name might be used. + Recommended domain name syntax is "name.local" (e.g. DOMAIN.LOCAL). + Sample configuration: + + ; --- Private DNS - named.boot + + primary domain.local ZONE.domain.local + ... + forwarders 172.16.12.10 + slave + + ; --- Public DNS - named.boot + + primary domain.com ZONE.domain.com + ... + IMPLEMENTATION NOTES + + Location of the DNS service in both cases is irrelevant. Usually, they + are located on two different physical servers, each of them connected to + the appropriate part of the network (private, public). Certain savings + may be done if public DNS service is hosted on the ISP network - in that + case, the user will need only one (private) DNS server. + + Finally, both public and private DNS, in some cases, may be placed on + the servers in the private network, behind the firewall. With a Cisco + PIX, a statical public/private IP address mapping in this case would be + needed. Two servers for the same domain could be even placed on the + same physical server, with two different DNS processes running on + different IP interfaces. Note that BIND 8 is needed in the latter case. + +* If the network is not connected to the Internet at all, only private DNS + servers are needed. However, due to the lack of Internet connectivity, + internal servers will fail to contact the root DNS servers every time a + user types, by mistake, an address outside the corporate domain + DOMAIN.COM. Some older servers won't even work if they can't reach root + servers. To overcome this, it is most proper to create a so-called "fake + root zone" on one or more DNS servers in the corporation. That would + make all DNS servers within the corporation think there is only one or + two DNS servers in the world, all located on the corporation network. + Only domain names used within the corporation (DOMAIN.COM, appropriate + inverse domains etc.) should be entered in the fake root zone file. Note + that no cache line in the boot file of the "root" DNS makes sense. + Sample configuration: + + ; --- named.boot + + primary domain.com ZONE.domain.com + primary 1.10.in-addr.arpa REV.10.1 + priamry . ZONE.root + ... (other data; NOTE - do *NOT* place any "cache" line here !!!) + + ; --- ZONE.root - fake root zone file, containing only corporation domains + + . IN NS ns.domain.com. hostmaster.domain.com. ( ... ) + IN NS ns.domain.com. + IN NS ns2.domain.com. + + domain.com. IN NS ns.domain.com. + ns.domain.com. IN A 10.1.1.1 + domain.com. IN NS ns2.domain.com. + ns2.domain.com. IN A 10.1.1.2 + + 1.10.in-addr.arpa. IN NS ns.domain.com. + IN NS ns2.domain.com. + + Other zone files follow standard configuration. + +----------------------------------------------------------------------------- + +Question 5.23. Different DNS answers for same RR + +Date: Mon Sep 14 22:15:16 EDT 1998 + +(The following section was contributed by Berislav Todorovic) + +Many times there is a need for a DNS server to send different answers for +same RR's, depending on the IP address of the request sender. For example, +many coprporations wish to make their customers to use the "geographically +closest" Web server when accessing corporate Web pages. A corporation may +impose the following policy: if someone asked for the IP address of +WWW.DOMAIN.COM, they may want to: + +* Answer that the IP address is 172.16.2.3, if the request came from one + of the following IP networks: 172.1/16, 172.2/16 or 172.10/16. +* Answer that the IP address is 172.16.1.1, if the request came from the + IP address 172.16/16 or 172.17.128/18. +* By default, for all other requests send the answer that the IP address + is 172.16.2.3. + +The example above will need a DNS to send different A RR's, depending on +the source of queries. A similar approach may be imposed for MX's, CNAME's +etc. The question which arise here is: IS IT POSSIBLE? + +[Ed note: There are commercial products such as Cisco's Distributed +Director that also will address this issue] + +The simple answer to the question is: NOT DIRECTLY. This is true if +standard DNS software (e.g. BIND) is used on the DNS servers. However, +there are two workarounds which may solve this problem: + +* Using two DNS servers on different UDP ports + UDP redirector +* Using two DNS servers on different IP addresses + NAT on the router + +Solution 1: (tested on a Linux system and should work on other Unix boxes +as well). Software needed is: + +* BIND 8 +* udprelay - a package which redirects traffic to other UDP port + (sunsite.unc.edu: /pub/Linux/system/network/misc/udprelay-0.2.tar.Z ). + +Build and install udprelay and bring up two DNS servers on different UDP +ports, using different configuration files (i.e., bring one on 5300 and +the other one on 5400): + + // --- named.conf.5300 + options { + directory "/var/named" + listen-on port 5300 { any; }; + ... (other options) + }; + + zone "domain.com" { + type master; + file "domain.com.5300"; + }; + + // --- named.conf.5400 + + options { + directory "/var/named" + listen-on port 5400 { any; }; + ... (other options) + }; + + zone "domain.com" { + type master; + file "domain.com.5400"; + }; + + + ; domain.com.5300 + ... (SOA and other stuff) + + www IN A 172.16.2.3 + + ; --- domain.com.5400 + ... (SOA and other stuff) + + www IN A 172.16.1.1 + +As can be seen, there will be two separate zone files for DOMAIN.COM, +depending on which UDP port the server listens to. Each zone file can +contain different records. Now, when configure udprelay to forward UDP +traffic from port 53 to 5300 or 5400, depending on the remote IP address: + + relay 172.1.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53 + relay 172.2.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53 + relay 172.10.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53 + relay 172.16.0.0 mask 255.255.0.0 * 53 172.16.1.1 5400 53 + relay 172.17.0.0 mask 255.255.0.0 * 53 172.16.1.1 5400 53 + relay * * 53 172.16.1.1 5400 53 +After starting udprelay, all traffic coming to port 53 will be redirected +to 5300 or 5400, depending on the source IP address. + +NOTE - This solution deals with the UDP part of DNS only. Zone xfers will +be able to be done from one DNS server only, since this solution doesn't +deal the TCP part of DNS. This is, thus, a partial solution but it works! + +Solution 2: Bring up two DNS servers on your network, using "private" IP +addresses (RFC 1918), say ns1.domain.com (10.1.1.1) and ns2.domain.com +(10.1.1.2). Both servers will have the same public address - 172.16.1.1, +which will be used to access the servers. Configure them to be both +primary for domain DOMAIN.COM. Let one of them (say, ns1) be the +"default" DNS, which will be used in most of the cases. Establish NAT on +the router, so it translates the public IP address 172.16.1.1 to 10.1.1.1 +and delegate your "default" DNS with the appropriate NIC, using its public +address 172.16.1.1. Once you're assured everything works, setup your +router to translate the public IP address 172.16.1.1 to either 10.1.1.1 or +10.1.1.2, depending on the requestor IP address. After that, depending on +the source IP address, the router will return one translation or the +latter, thus forwarding the remote side to the appropriate DNS server. + =============================================================================== Section 6. PROBLEMS @@ -817,14 +1272,30 @@ Section 6. PROBLEMS Q6.8 General problems (core dumps !) Q6.9 malloc and DECstations Q6.10 Can't resolve names without a "." - Q6.11 Err/TO errors being reported - Q6.12 Why does swapping kill BIND ? + Q6.11 Why does swapping kill BIND ? + Q6.12 Resource limits warning in system + Q6.13 ERROR:ns_forw: query...learnt + Q6.14 ERROR:zone has trailing dot + Q6.15 ERROR:Zone declared more then once + Q6.16 ERROR:response from unexpected source + Q6.17 ERROR:record too short from [zone name] + Q6.18 ERROR:sysquery: findns error (3) + Q6.19 ERROR:Err/TO getting serial# for XXX + Q6.20 ERROR:zonename IN NS points to a CNAME + Q6.21 ERROR:Masters for secondary zone [XX] unreachable + Q6.22 ERROR:secondary zone [XX] expired + Q6.23 ERROR:bad response to SOA query from [address] + Q6.24 ERROR:premature EOF, fetching [zone] + Q6.25 ERROR:Zone [XX] SOA serial# rcvd from [Y] is < ours + Q6.26 ERROR:connect(IP/address) for zone [XX] failed + Q6.27 ERROR:sysquery: no addrs found for NS + Q6.28 ERROR:zone [name] rejected due to errors ----------------------------------------------------------------------------- Question 6.1. No address for root server -Date: Mon Jan 2 13:49:43 EST 1995 +Date: Wed Jan 14 12:15:54 EST 1998 Q: I've been getting the following messages lately from bind-4.9.2.. ns_req: no address for root server @@ -835,6 +1306,7 @@ We are behind a firewall and have the following for our named.cache file - . 99999999 IN NS POBOX.FOOBAR.COM. 99999999 IN NS FOOHOST.FOOBAR.COM. foobar.com. 99999999 IN NS pobox.foobar.com. + You can't do that. Your nameserver contacts POBOX.FOOBAR.COM, gets the correct list of root servers from it, then tries again and fails because of your firewall. @@ -843,6 +1315,23 @@ You will need a 'forwarder' definition, to ensure that all requests are forwarded to a host which can penetrate the firewall. And it is unwise to put phony data into 'named.cache'. +Q: We are getting logging information in the form: + +Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS + (A.ROOT-SERVERS.NET) +Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS + (B.ROOT-SERVERS.NET) +Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS + (C.ROOT-SERVERS.NET) +... + +We are running bind 4.9.5PL1 Our system IS NOT behind a firewall. Any ideas ? + +This was discussed on the mailing list in November of 1996. The short +answer was to ignore it as it was not a problem. That being said, you +should upgrade to a newer version at this time if you are running a +non-current version :-) + ----------------------------------------------------------------------------- Question 6.2. Error - No Root Nameservers for Class XX @@ -854,6 +1343,7 @@ Q: I've received errors before about "No root nameservers for class XX" I believe that Class 1 is Internet Class data. And I think I heard someone say that Class 4 is Hesiod?? Does anyone know what the various Class numbers are? + From RFC 1700: DOMAIN NAME SYSTEM PARAMETERS @@ -875,6 +1365,7 @@ From RFC 1700: 65535 Reserved [PM1] DNS information for RFC 1700 was taken from + ftp.isi.edu : /in-notes/iana/assignments/dns-parameters Hesiod is class 4, and there are no official root nameservers for class 4, @@ -970,7 +1461,7 @@ Q: Given the example - Now, while reading the operating manual of bind it clearly states that this is *not* valid. These two statements clearly contradict - each other. Is there some later rfc than 974 that overrides what is + each other. Is there some later RFC than 974 that overrides what is said in there with respect to MX and CNAMEs? Anyone have the reference handy? @@ -1115,6 +1606,7 @@ in the old resolvers, and you are timing out trying to resolve the address with one of these domains tacked on. When resolving internic.net the following will be tried in order. + internic.net.langley.af.mil internic.net.af.mil internic.net.mil @@ -1126,36 +1618,14 @@ RFC 1535 aware resolvers try qualified address first. internic.net.langley.af.mil internic.net.af.mil internic.net.mil + RFC 1535 documents the problems associated with the old search algorithim, including security issues, and how to alleviate some of the problems. ----------------------------------------------------------------------------- -Question 6.11. Err/TO errors being reported - -Date: Sun May 5 23:46:32 EDT 1996 - -Why are errors like - - Apr 2 20:41:58 nameserver named[25846]: Err/TO getting serial# for - "foobar.domain1.com" - Apr 2 20:41:59 nameserver named[25846]: Err/TO getting serial# for - "foobar.domain2.com" - -reported ? These generally indicate that there is one of the following -problems: - -* A network problem between you and the primary, -* A bad IP address in named.boot, -* The primary is Lame for the zone. - -An external check to see if you can retrieve the SOA is the best way to -work out which it is. - ------------------------------------------------------------------------------ - -Question 6.12. Why does swapping kill BIND ? +Question 6.11. Why does swapping kill BIND ? Date: Thu Jul 4 23:20:20 EDT 1996 @@ -1201,6 +1671,292 @@ And the answer is: even if you're just hammering on some hot spots -- that's the part I'd like to fix. Malloc isn't cooperating.) +----------------------------------------------------------------------------- + +Question 6.12. Resource limits warning in system + +Date: Sun Feb 15 22:04:43 EST 1998 + +When bind-8.1.1 is started the following informational message appears in +the syslog... + + Feb 13 14:19:35 ns1named[1986]: + "cannot set resource limits on this system" + +What does this mean ? + +A: It means that BIND doesn't know how to implement the "coresize", +"datasize", "stacksize", or "files" process limits on your OS. + +If you're not using these options, you may ignore the message. + +----------------------------------------------------------------------------- + +Question 6.13. ERROR:ns_forw: query...learnt + +Date: Sun Feb 15 23:08:06 EST 1998 + +The following message appears in syslog: + + Jan 22 21:59:55 server1 named[21386]: ns_forw: query(testval) contains + our address (dns1.foobar.org:1.2.3.4) learnt (A=:NS=) + +what does it mean ? + +A: This means that when it was looking up the NS records for the domain +containing "testval" (i.e. the root domain), it found an NS record +pointing to dns1.foobar.org, and the A record for this is 1.2.3.4. +This is server1's own IP address, but it's not authoritative for the +root domain. The (A-:NS=) part of the message means that it didn't +learn these NS records from any other machine. + +You may have listed dns1.foobar.org in your root server cache +file, even though it's not configured as a root server. + + +\question 09jul:linuxq ERROR:recvfrom: Connection refused + +Date: Wed Jul 9 21:57:40 EDT 1997 + +DNS on my linux system is reporting the error + +\verbatim +Mar 26 12:11:20 idg named[45]: recvfrom: Connection refused + +When I start or restart the named program I get no errors. What could be +causing this ? + +A: Are you running the BETA9 version of bind 4.9.3 ? It is a bug that +does no harm and the error reporting was corrected in later releases. You +should upgrade to a newer version of bind. + +----------------------------------------------------------------------------- + +Question 6.14. ERROR:zone has trailing dot + +Date: Wed Jul 9 22:11:51 EDT 1997 + +If syslog reports "zone has trailing dot", the zone information contains a +trailing dot in the named.boot file where it does not belong. + + + example: + secondary domain.com. xxx.xxx.xxx.xxx S-domain.com + ^ +----------------------------------------------------------------------------- + +Question 6.15. ERROR:Zone declared more then once + +Date: Wed Jul 9 22:12:45 EDT 1997 + +If syslog reports "Zone declared more then once", + +A zone is specified multiple times in the named.boot file + + example: + secondary domain.com 198.247.225.251 S-domain.com + secondary zone.com 198.247.225.251 S-zone.com + primary domain.com P-domain.com + + domain.com is declared twice, once as primary, and once as secondary + +----------------------------------------------------------------------------- + +Question 6.16. ERROR:response from unexpected source + +Date: Wed Jul 9 22:12:45 EDT 1997 + +If syslog reports "response from unexpected source", BIND (pre 4.9.3) has +a bug if implimented on a multi homed server. This error indicates that +the response to a query came from an address other then the one sent to. +So, if ace gets a response from an unexpected source, ace will ignore the +response. + +----------------------------------------------------------------------------- + +Question 6.17. ERROR:record too short from [zone name] + +Date: Mon Jun 15 21:34:49 EDT 1998 + +If syslog report "record too short from [zone name]", The secondary server +is trying to pull a zone from the primary server. For some reason, the +primary sent an incomplete zone. This usually is a problem at the primary +server. + + To troubleshoot, try this: + + dig [zonename] axfr @[primary IP address] + + Often, this is caused by a line broken in the middle. + +When the primary server's "named.boot" file contains "xfrnets" entries +for other servers and the secondary is not listed, this error can occur. +Creating an "xfrnets" entry for the secondary will solve the error. + +----------------------------------------------------------------------------- + +Question 6.18. ERROR:sysquery: findns error (3) + +Date: Wed Jul 9 22:17:09 EDT 1997 + +If syslog reports "sysquery: findns error (3)" or +"qserial_query(zonename): sysquery FAILED", there is no ns record for the +zone. or the NS record is not defined correctly. + +----------------------------------------------------------------------------- + +Question 6.19. ERROR:Err/TO getting serial# for XXX + +Date: Wed Jul 9 22:18:41 EDT 1997 + +If syslog reports "Err/TO getting serial# for XXX", there could be a +number of possible errors: + + - An incorrect IP address in named.boot, + - A network reachibility problem, + - The primary is lame for the zone. + +An external check to see if you can retrieve the SOA is the best way to +work out which it is. + +----------------------------------------------------------------------------- + +Question 6.20. ERROR:zonename IN NS points to a CNAME + +Date: Wed Jul 9 22:20:29 EDT 1997 + +If syslog reports "zonename IN NS points to a CNAME" or "zonename IN MX +points to a CNAME", named is 'reminding' you that due to various RFCs, an +NS or MX record cannot point to a CNAME. + + EXAMPLE 1 + --------- + domain.com IN SOA (...stuff...) + IN NS ns.domain.com. + ns IN CNAME machine.domain.com. + machine IN A 1.2.3.4 + + The IN NS record points to ns, which is a CNAME for machine. This + is what results in the above error + + EXAMPLE 2 + --------- + domain.com IN SOA (...stuff...) + IN MX mail.domain.com. + mail IN CNAME machine.domain.com. + machine IN A 1.2.3.4 + + This would cause the MX variety of the error. + + The fix is point MX and NS records to a machine that is defined explicitly + by an IN A record. + +----------------------------------------------------------------------------- + +Question 6.21. ERROR:Masters for secondary zone [XX] unreachable + +Date: Wed Jul 9 22:24:27 EDT 1997 + +If syslog reports "Masters for secondary zone [XX] unreachable", the +initial attempts to load a zone failed, and the name server is still +trying. If this occurs multiple times, a problem exists, likely on the +primary server. This is a fairly generic error, and could indicate a vast +number of problems. It might be that named is not running on the primary +server, or they do not have the correct zone file. If this keeps up long +enough a zone might expire. + +----------------------------------------------------------------------------- + +Question 6.22. ERROR:secondary zone [XX] expired + +Date: Wed Jul 9 22:25:53 EDT 1997 + +If syslog reports "secondary zone [XX] expired", there has been a +expiration of a secondary zone on this server. + +An expired zone is one in which a transfer hasn't successfully been +completed in the amount of time specified before a zone expires. + +This problem could be anything which prevents a zone transfer: The primary +server is down, named isn't running on the primary, named.boot has the +wrong IP address, etc. + +----------------------------------------------------------------------------- + +Question 6.23. ERROR:bad response to SOA query from [address] + +Date: Wed Jan 14 12:15:11 EST 1998 + +If syslog reports "bad response to SOA query from [address], zone [name]", +a syntax error may exist in the SOA record of the zone your server is +attempting to pull. + +It may also indicate that the primary server is lame, possibly due to a +syntax error somewhere in the zone file. + +----------------------------------------------------------------------------- + +Question 6.24. ERROR:premature EOF, fetching [zone] + +Date: Wed Jul 9 22:28:26 EDT 1997 + +If syslog reports "premature EOF, fetching [zone]", a syntax error exists +on the zone at the primary location, likely towards the End of File (EOF) +location. + +----------------------------------------------------------------------------- + +Question 6.25. ERROR:Zone [XX] SOA serial# rcvd from [Y] is < ours + +Date: Wed Jul 9 22:30:03 EDT 1997 + +If syslog reports "Zone [name] SOA serial# rcvd from [address] is < ours", +the zone transfer failed because the primary machine has a lower serial +number in the SOA record than the one on file on this server. + +----------------------------------------------------------------------------- + +Question 6.26. ERROR:connect(IP/address) for zone [XX] failed + +Date: Wed Jan 14 12:21:40 EST 1998 + +If syslog reports "connect(address) for zone [name] failed: No route to +host" or "connect(address) for zone [name] failed: Connection timed out", +it could be that there is no route to the specified host or a slow primary +system. Try a traceroute to the address specified to isolate the problem. +The problem may be a mistyped IP address in named.boot. + +A very slow primary machine or a connection may have been initialized, +then connectivity lost for some reason, etc. Try networking +troubleshooting tools like ping and traceroute, then try connecting to +port 53 using nslookup or dig. + +If syslog reports "connect(address) for zone [name] failed: Connection +refused", the destination address is not allowing the connection. Either +the destination is not running DNS (port 53), or possibly filtering the +connection from you. It is also possible that the named.boot is pointing +to the wrong address. + +----------------------------------------------------------------------------- + +Question 6.27. ERROR:sysquery: no addrs found for NS + +Date: Wed Jul 9 22:37:01 EDT 1997 + +If syslog reports "sysquery: no addrs found for NS" , the IN NS record may +be pointing to a host with no IN A record. + +----------------------------------------------------------------------------- + +Question 6.28. ERROR:zone [name] rejected due to errors + +Date: Wed Jul 9 22:37:51 EDT 1997 + +If syslog reports "primary zone [name] rejected due to errors", there will +likely be another more descriptive error along with this, like "zonefile: +line 17: database format error". That zone file should be investigated +for errors. + =============================================================================== Section 7. ACKNOWLEDGEMENTS @@ -1213,14 +1969,17 @@ Section 7. ACKNOWLEDGEMENTS Question 7.1. How is this FAQ generated ? -Date: Fri Dec 6 16:51:31 EST 1996 +Date: Mon Jun 15 21:45:53 EDT 1998 This FAQ is maintained in BFNN (Bizzarre Format with No Name). This allows me to create ASCII, HTML, and GNU info (postscript coming soon) from one source file. The perl script "bfnnconv.pl" that is available with the linux FAQ is used -to generate the various output files from the BFNN source. +to generate the various output files from the BFNN source. This script is +available at + +txs-11.mit.edu : /pub/linux/docs/linux-faq/linux-faq.source.tar.gz ----------------------------------------------------------------------------- @@ -1230,26 +1989,28 @@ Date: Fri Dec 6 16:51:31 EST 1996 You may obtain one of the following formats for this document: -* ASCII: http://www.users.pfmc.net/~cdp/cptd-faq/cptd-faq.ascii -* BFNN: http://www.users.pfmc.net/~cdp/cptd-faq/cptd-faq.bfnn -* GNU info: http://www.users.pfmc.net/~cdp/cptd-faq/cptd-faq.info -* HTML: http://www.users.pfmc.net/~cdp/cptd-faq/index.html +* ASCII: http://www.intac.com/~cdp/cptd-faq/cptd-faq.ascii +* BFNN: http://www.intac.com/~cdp/cptd-faq/cptd-faq.bfnn +* GNU info: http://www.intac.com/~cdp/cptd-faq/cptd-faq.info +* HTML: http://www.intac.com/~cdp/cptd-faq/index.html ----------------------------------------------------------------------------- Question 7.3. Contributors -Date: Sat Dec 7 01:29:29 EST 1996 +Date: Thu Jul 16 10:45:57 EDT 1998 Many people have helped put this list together. Listed in e-mail address alphabetical order, the following people have contributed to this FAQ: +* <BERI@etf.bg.ac.yu> (Berislav Todorovic) * <Benoit.Grange@inria.fr> (Benoit.Grange) * <D.T.Shield@csc.liv.ac.uk> (Dave Shield) +* <Karl.Auer@anu.edu.au> (Karl Auer) * <Todd.Aven@BankersTrust.Com> * <adam@comptech.demon.co.uk> (Adam Goodfellow) * <andras@is.co.za> (Andras Salamon) -* <barmar@nic.near.net> (Barry Margolin) +* <barmar@bbnplanet.com> (Barry Margolin) * <barr@pop.psu.edu> (David Barr) * <bj@herbison.com> (B.J. Herbison) * <bje@cbr.fidonet.org> (Ben Elliston) @@ -1258,6 +2019,8 @@ alphabetical order, the following people have contributed to this FAQ: * <cdp2582@hertz.njit.edu> (Chris Peckham) * <cricket@hp.com> (Cricket Liu) * <cudep@csv.warwick.ac.uk> (Ian 'Vato' Dickinson [ID17]) +* <dj@netscape.com> (David Jagoda) +* <djk@cyber.com.au> (David Keegel) * <dillon@best.com> (Matthew Dillon) * <dparter@cs.wisc.edu> (David Parter) * <e07@nikhef.nl> (Eric Wassenaar) @@ -1268,15 +2031,22 @@ alphabetical order, the following people have contributed to this FAQ: * <harvey@indyvax.iupui.edu> (James Harvey) * <hubert@cac.washington.edu> (Steve Hubert) * <ivanl@pacific.net.sg> (Ivan Leong) +* <jpass@telxon.com> (Jim Pass) * <jhawk@panix.com> (John Hawkinson) * <jmalcolm@uunet.uu.net> (Joseph Malcolm) * <jprovo@augustus.ultra.net> (Joe Provo) +* <jrs@foliage.com> (J. Richard Sladkey) +* <jsd@gamespot.com> (Jon Drukman) +* <jwells@pacificcoast.net> (John Wells) +* <kop@meme.com> (Karl O. Pinc) * <kevin@cfc.com> (Kevin Darcy) * <lamont@abstractsoft.com> (Sean T. Lamont) * <lavondes@tidtest.total.fr> (Michel Lavondes) * <mark@ucsalf.ac.uk> (Mark Powell) * <marka@syd.dms.CSIRO.AU> (Mark Andrews) * <mathias@unicorn.swi.com.sg> (Mathias Koerber) +* <mfuhr@dimensional.com> (Michael Fuhr) +* <mike@westie.gi.net> (Michael Hawk) * <mjo@iao.ford.com> (Mike O'Connor) * <nick@flapjack.ieunet.ie> (Nick Hilliard) * <oppedahl@popserver.panix.com> (Carl Oppedahl) @@ -1285,12 +2055,15 @@ alphabetical order, the following people have contributed to this FAQ: * <pb@fasterix.frmug.fr.net> (Pierre Beyssac) * <ph10@cus.cam.ac.uk> (Philip Hazel) * <phil@netpart.com> (Phil Trubey) +* <raj@ceeri.ernet.in> (Raj Singh) * <rocky@panix.com> (R. Bernstein) * <rv@seins.Informatik.Uni-Dortmund.DE> (Ruediger Volk) +* <sedwards@sedwards.com> (Steve Edwards) * <shields@tembel.org> (Michael Shields) +* <spsprunk@pop.srv.paranet.com> (Stephen Sprunk) * <tanner@george.arc.nasa.gov> (Rob Tanner) * <vixie@vix.com> (Paul A Vixie) -* <wag@swl.msd.ray.com> (William Gianopoulos {84718) +* <wag@swl.msd.ray.com> (William Gianopoulos) * <whg@inel.gov> (Bill Gray) * <wolf@pasteur.fr> (Christophe Wolfhugel) |