diff options
Diffstat (limited to 'contrib/bind/doc/misc/FAQ.1of2')
-rw-r--r-- | contrib/bind/doc/misc/FAQ.1of2 | 1339 |
1 files changed, 1339 insertions, 0 deletions
diff --git a/contrib/bind/doc/misc/FAQ.1of2 b/contrib/bind/doc/misc/FAQ.1of2 new file mode 100644 index 0000000..ab55bea --- /dev/null +++ b/contrib/bind/doc/misc/FAQ.1of2 @@ -0,0 +1,1339 @@ +Newsgroups: comp.protocols.tcp-ip.domains,comp.answers,news.answers +Path: vixie!news1.digital.com!uunet!in1.uu.net!usc!rutgers!njitgw.njit.edu!hertz.njit.edu!cdp2582 +From: cdp@njit.edu (Chris Peckham) +Subject: comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ) (Part 1 of 2) +Message-ID: <cptd-faq-1-810621452@njit.edu> +Followup-To: comp.protocols.tcp-ip.domains +Originator: cdp2582@hertz.njit.edu +Keywords: BIND,DOMAIN,DNS +Sender: news@njit.edu +Supersedes: <cptd-faq-1-807632375@njit.edu> +Nntp-Posting-Host: hertz.njit.edu +X-Posting-Frequency: posted on the 1st of each month +Reply-To: domain-faq@njit.edu (comp.protocols.tcp-ip.domains FAQ comments) +Organization: NJIT.EDU - New Jersey Institute of Technology, Newark, NJ, USA +Date: Sat, 9 Sep 1995 04:37:47 GMT +Approved: news-answers-request@MIT.EDU +Expires: Sat 14 Oct 95 00:37:32 EDT +Lines: 1319 +Xref: vixie comp.protocols.tcp-ip.domains:6018 comp.answers:13881 news.answers:49918 + +Posted-By: auto-faq 3.1.1.2 +Archive-name: internet/tcp-ip/domains-faq/part1 +Revision: 1.6 1995/05/12 18:49:48 + + +This FAQ is edited and maintained by Chris Peckham, <cdp@njit.edu>. +The latest version may always be found for anonymous ftp from + + ftp://rtfm.mit.edu/pub/usenet/news.answers/internet/tcp-ip/domains-faq + ftp://ftp.njit.edu/pub/dns/Comp.protocols.tcp-ip.domains.FAQ + +If you can contribute any answers for items in the TODO section, please do +so by sending e-mail to domain-faq@njit.edu ! If you know of any items that +are not included and you feel that they should be, send the relevant +information to domain-faq@njit.edu. + + +------------------------------ + +Date: Fri May 12 14:41:47 EDT 1995 +Subject: Table of Contents + +Table of Contents +================= +Part 1 +------ + 0. TO DO + 1. INTRODUCTION / MISCELLANEOUS + 1.1 What is this newsgroup ? + 1.2 More information + 1.3 What is BIND and where is the latest version of BIND ? + 1.4 How can I find the route between systems ? + 1.5 Finding the hostname if you have the tcp-ip address + 1.6 How to register a domain name + 1.7 Change of Domain name + 1.8 How memory and CPU does DNS use ? + 1.9 Other things to consider when planning your servers + 1.10 Proper way to get NS and reverse IP records into DNS + 1.11 How to get my address assign from NIC? + 1.12 Is there a block of private IP addresses I can use? + 1.13 Cache failed lookups + 1.14 What does an NS record really do ? + 1.15 DNS ports + 1.16 Obtaining the latest cache file + 2. UTILITIES + 2.1 Utilities to administer DNS zone files + 2.2 DIG - Domain Internet Groper + 2.3 DNS packet analyzer + 2.4 host + 2.5 Programming with DNS + 2.6 A source of information relating to DNS + 3. DEFINITIONS + 3.1 TCP/IP Host Naming Conventions + 3.2 Slaves and servers with forwarders + 3.3 When is a server authoritative? + 3.4 Underscore in host-/domain names + 3.5 Lame delegation + 3.6 What does opt-class field do? + 3.7 Top level domains + 3.8 Classes of networks + 3.9 What is CIDR ? + 3.10 What is the rule for glue ? + +Part 2 +------ + 4. CONFIGURATION + 4.1 Changing a Secondary server to a Primary + 4.2 How do I subnet a Class B Address ? + 4.3 Subnetted domain name service + 4.4 Recommended format/style of DNS files + 4.5 DNS on a system not connected to the Internet + 4.6 Multiple Domain configuration + 4.7 wildcard MX records + 4.8 How to identify a wildcard MX record + 4.9 Why are fully qualified domain names recommended ? + 4.10 Distributing load using named + 4.11 Order of returned records + 4.12 resolv.conf + 4.13 Delegating authority + 4.14 DNS instead of NIS on a Sun OS 4.1.x system + 5. PROBLEMS + 5.1 No address for root server + 5.2 Error - No Root Nameservers for Class XX + 5.3 Bind 4.9.x and MX querying? + 5.4 Some root nameservers don't know localhost + 5.5 MX records and CNAMES and separate A records for MX targets + 5.6 NS is a CNAME + 5.7 Nameserver forgets own A record + 5.8 General problems (core dumps !) + 5.9 malloc and DECstations + 6. ACKNOWLEDGEMENTS + +------------------------------ + +Date: Wed May 3 12:55:13 EDT 1995 +Subject: Q0 - TO DO list + + +* How to do an initial installation +* How to change service providers (what happens) +* Explain the difference between BIND (an implementation) and DNS (spec) +* Expand the slave/forward section of Q 3.2 +* Add a definition of a "private domain" in discussion (or cut it out) +* mention mail-to-news gateways for newsgroup, mailing lists, anonymous + ftp, etc in what is newsgroup section +* The evils of wildcard MX records + + + +------------------------------- + +Date: Thu Dec 1 11:08:28 EST 1994 +Subject: Q1.1 - What is this newsgroup ? + +comp.protocols.tcp-ip.domains is the usenet newsgroup for discussion +on issues relating to the Domain Name System (DNS). + +This newsgroup is not for issues directly relating to IP routing and +addressing. Issues of that nature should be directed towards +comp.protocols.tcp-ip. + + +------------------------------- + + +Date: Fri May 12 13:54:01 EDT 1995 +Subject: Q1.2 - More information + + You can find more information concerning DNS in the following places: + + * The BOG (BIND Operations Guide) - in the BIND distribution + * The FAQ included with bind4.9.3 doc/misc/FAQ + * DNS and BIND by Albitz and Liu (an O'Reilly & Associates Nutshell + handbook) + * A number of RFCs (920, 974, 1032, 1034, 1101, 1123, 1178, 1183, 1348, + 1535, 1536, 1537, 1591, 1706, 1712, 1713) + * The DNS Resource Directory (DNSRD) + http://www.dns.net/dnsrd + * If you are having troubles relating to sendmail and DNS, you may wish to + refer to the USEnet newsgroup comp.mail.sendmail and/or the FAQ for that + newsgroup + ftp://rtfm.mit.edu/pub/usenet/news.answers/mail/sendmail-faq + * Information concerning some frequently asked questions relating to + the Internet (i.e., what is the InterNIC, what is an RFC, what is the + IETF, etc) may be found for anonymous ftp from + ftp://ds.internic.net/fyi/fyi4.txt + A version may also be obtained with the URL + gopher://ds.internic.net/00/fyi/fyi4.txt + + +------------------------------- + +Date: Fri Aug 4 10:18:58 EDT 1995 +Subject: Q1.3 - What is BIND and where is the latest version of BIND ? + +Q: What is BIND ? + +A: From the BOG Introduction - + + The Berkeley Internet Name Domain (BIND) implements + an Internet name server for the BSD operating system. + The BIND consists of a server (or ``daemon'') and a + resolver library. A name server is a network service + that enables clients to name resources or objects and + share this information with other objects in the network. + This in effect is a distributed data base system for + objects in a computer network. BIND is fully integrated + into BSD (4.3 and later releases) network programs for + use in storing and retrieving host names and address. + The system administrator can configure the system to use + BIND as a replacement to the older host table lookup of + information in the network hosts file /etc/hosts. The + default configuration for BSD uses BIND. + +Q: Where is the latest non-beta version of BIND ? + +A: The latest non-beta version of BIND is version 4.9.2. This can be + found for anonymous ftp from + + ftp://gatekeeper.dec.com/pub/misc/vixie/4.9.2-940221.tar.gz + +Q: Where is the latest version of 4.9.3 located ? + +A: You can reference this URL: + + http://www.isc.org/isc/ + + At this time, the latest version of 4.9.3 may be found for anonymous ftp + from + + ftp://ftp.vix.com/pub/bind/testing/bind-4.9.3-BETA24.tar.gz + + You will need GNU zip, Larry Wall's patch program (if there are any + patch files), and a C compiler to get BIND running from the above + mentioned source. + + GNU zip is available for anonymous ftp from + + ftp://prep.ai.mit.edu/pub/gnu/gzip-1.2.4.tar + + patch is available for anonymous ftp from + + ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz + +------------------------------ + +Date: Mon Jan 2 13:27:27 EST 1995 +Subject: Q1.4 - How can I find the route between systems + +Q: How can I find the path taken by packets between two systems/domains ? + +A: Get the source of the 'traceroute' command, compile it and install + it on your system. + + One version of this program with additional functionality may be found + for anonymous ftp from + + ftp://ftp.nikhef.nl/pub/network/traceroute.tar.Z + + This package is mirrored at + + ftp://ftp.njit.edu/pub/dns/nikhef/traceroute.tar.Z + + Another version may be found for anonymous ftp from + + ftp://ftp.psc.edu/pub/net_tools/traceroute.tar + + +------------------------------ + +Date: Thu Dec 1 09:55:24 EST 1994 +Subject: Q1.5 - Finding the hostname if you have the tcp-ip address + +Q: Can someone tell me how can I find the name of the domain if I know the + tcp-ip address of the domain? Is there some kind of service for this? + +A: For an address a.b.c.d you can always do: + +% nslookup +> set q=ptr +> d.c.b.a.in-addr.arpa. + + Most newer version of nslookup (since 4.8.3) will recognize an address, + so you can just say: + +% nslookup a.b.c.d + + DiG will work like this also: + +$ dig -x a.b.c.d + + Host from the contrib/host from the bind distribution may also be used. + +------------------------------- + +Date: Fri Apr 28 13:16:32 EDT 1995 +Subject: Q1.6 - How to register a domain name + +Q: I would like to register a domain. How do I do this ? Can a name be + reserved, or must we already have an IP address and be hooked up to the + Internet before obtaining a domain name? + +A: You can talk to your Internet Service Provider (ISP). They can submit + the registration for you. If you are not going to be directly + connected, they should be able to offer MX records for your domain + for mail delivery (so that mail sent to the new domain will be sent + to your "standard" account). In the case where the registration is + done by the organization itself, it still makes the whole process + much easier if the ISP is approached for secondary servers _before_ + the InterNIC is approached for registration. + + For information about making the registration yourself, look to the + InterNIC ! + + ftp://internic.net/templates/ + gopher://rs.internic.net/ + http://www.internic.net/infoguide.html + http://www.ripe.net + + You will need at least two domain name servers when you register your + domain. Many ISP's are willing to provide primary and/or secondary name + service for their customers. + + Many times, registration of a domain name can be initiated by sending + e-mail to the zone contact. You can obtain the contact in the + SOA record for the country, or in a whois server: + + $ nslookup -type=SOA fr. + origin = ns1.nic.fr + mail addr = nic.nic.fr + ... + + The mail address to contact in this case is 'nic@nic.fr' (you must + substitute an '@' for the first dot in the mail addr field). + + An alternate method to obtain the e-mail address of the national NIC + is the 'whois' server at InterNIC. + + You may be requested to make your request to another email address or + using a certain information template/application. + + +------------------------------- + +Date: Sun Nov 27 23:32:41 EST 1994 +Subject: Q1.7 - Change of Domain name + +Q: We are preparing for a change of our domain name: + abc.foobar.com -> foobar.net + + What are the tricks and caveats we should be aware of ? + +A: The forward zones are easy and there are a number of ways to do it. + One way is the following: + + Have a single db file for the 2 domains, and have a single machine + be the primary server for both abc.foobar.com and foobar.net. + + To resolve the host foo in both domains, use a single zone file which + merely uses this for the host: + +foo IN A 1.2.3.4 + + Use a "@" wherever the domain would be used ie for the SOA: + +@ IN SOA (... + + Then use this pair of lines in your named.boot: + +primary abc.foobar.com db.foobar +primary foobar.net db.foobar + + The reverse zones should either contain PTRs to both names, + or to whichever name you believe to be canonical currently. + +------------------------------- + +Date: Fri Apr 28 13:52:20 EDT 1995 +Subject: Q1.8 - How memory and CPU does DNS use ? + +Q: How much memory and CPU does DNS use ? + +A: It can use quite a bit ! The main thing that BIND needs is memory. + It uses very little CPU or network bandwidth. The main + considerations to keep in mind when planning are: + + 1) How many zones do you have and how large are they ? + 2) How many clients do you expect to serve and how active are they ? + + As an example, here is a snapshot of memory usage from CSIRO Division + of Mathematics and Statistics, Australia + + Named takes several days to stabalize its memory usage. + + Our main server stabalises at ~10Mb. It takes about 3 days to + reach this size from 6 M at startup. This is under Sun OS 4.1.3U1. + + As another example, here is the configuration of ns.uu.net (from late + 1994): + + ns.uu.net only does nameservice. It is running a version of BIND + 4.9.3 on a Sun Classic with 96 MB of RAM, 220 MB of swap (remember + that Sun OS will reserve swap for each fork, even if it is not needed) + running Sun OS 4.1.3_U1. + + Joseph Malcolm, of Alternet, states that named generally hovers at + 5-10% of the CPU, except after a reload, when it eats it all. He + also states that if you are interested in the network connectivity + around the system (ns.uu.net is located off of Falls-Church4), a + PostScript map is available for anonymous ftp from + + ftp://ftp.uu.net/uunet-info/alternet.map.ps + + +------------------------------- + +Date: Mon Jan 2 14:24:51 EST 1995 +Subject: Q1.9 - Other things to consider when planning your servers + + When making the plans to set up your servers, you may want to also + consider the following issues: + + A) Server O/S limitations/capacities (which tend to be widely + divergent from vendor to vendor) + B) Client resolver behavior (even more widely divergent) + C) Expected query response time + D) Redundancy + E) Desired speed of change propagation + F) Network bandwidth availability + G) Number of zones/subdomain-levels desired + H) Richness of data stored (redundant MX records? HINFO records?) + I) Ease of administration desired + J) Network topology (impacts reverse-zone volume) + + Assuming a best-possible case for the factors above, particularly (A), (B), + (C), (F), (G) & (H), it would be possible to run a 1000-node domain + using a single lowly 25 or 40 MHz 386 PC with a fairly modest amount of RAM + by today's standards, e.g. 4 or 8 Meg. However, this configuration would + be slow, unreliable, and would provide no functionality beyond your basic + address-to-name and name-to-address mappings. + + Beyond that baseline case, depending on what factors listed above, + you may want look at other strategies, such splitting up the DNS + traffic among several machines strategically located, possibly larger ones, + and/or subdividing your domain itself. There are many options, tradeoffs, + and DNS architectural paradigms from which to choose. + + +------------------------------ + +Date: Mon Jan 2 13:03:53 EST 1995 +Subject: Q1.10 - Proper way to get NS and reverse IP records into DNS + + +Q: Reverse domain registration is separate from forward domain registration. + How do I get it updated ? + +A: Blocks of network addresses have been delegated by the InterNIC. Check + if your network a.b.c.0 is in such a block by using nslookup: + + nslookup -type=soa c.b.a.in-addr.arpa. + nslookup -type=soa b.a.in-addr.arpa. + nslookup -type=soa a.in-addr.arpa. + + One of the above should give you the information you are looking for + (the others will return with an error something like `*** No start of + authority (SOA) records available for ...') + This will give you the email address of the person to whom you should + address your change request. + + If none of these works, your network probably has not been delegated + by the InterNIC and you need to contact them directly. + + CIDR has meant that the registration is delegated, but registration + of in-addr.arpa has always been separate from forward zones - and + for good reason - in that the forward and reverse zones may have + different policies, contents etc, may be served by a different set + of nameservers, and exist at different times (usually only at point + of creation). There isn't a one-to-one mapping between the two, so + merging the registration would probably cause more problems than + people forgetting/not-knowing that they had to register in-addr.arpa + zones separately. For example, there are organizations that have + hundreds of networks and two or more domains, with a sprinkling of + machines from each network in each of the domains. + + +------------------------------- + +Date: Mon Jan 2 13:08:38 EST 1995 +Subject: Q1.11 - How to get my address assign from NIC ? + + +Q: Can anyone tell me how can I get the address from NIC? How many subnets + will NIC give to me? + +A: You should probably ask your Internet provider to give you an address. + These days, addresses are being distributed through the providers, + so that they can assign adjacent blocks of addresses to sites that + go through the same provider, to permit more efficient routing on + the backbones. + + Unless you have thousands of hosts, you probably won't be able to get a + class B these days. Instead, you can get a series of class C networks. + Large requests will be queried, so be ready to provide a network plan if + you ask for more than 16 class C networks. + + If you can't do this through your Internet provider, you can look for a + subnet registration form on rs.internic.net. See the answer in this FAQ + to the question "How to register a domain name" for a URL to these + forms. + +------------------------------- + +Date: Mon Jan 2 13:12:01 EST 1995 +Subject: Q1.12 -Is there a block of private IP addresses I can use? + + +Q: Is there a block of private IP addresses I can use? + +A: This answer may be found in the FAQ for the newsgroup comp.dcom.sys.cisco + available for anonymous ftp from + + ftp://rtfm.mit.edu/pub/usenet/comp.dcom.sys.cisco + + There is a block of private IP addresses that you can use. However + whether you wish to do so is an issue of some debate. + + There are two RFCs which discuss this issue, and present opposing + views: + +1597 Address Allocation for Private Internets. Y. Rekhter, B. + Moskowitz, D. Karrenberg & G. de Groot. March 1994. (Format: + TXT=17430 bytes) + +1627 Network 10 Considered Harmful (Some Practices Shouldn't be + Codified). E. Lear, E. Fair, D. Crocker & T. Kessler. June 1994. + (Format: TXT=18823 bytes) + + Neither one of these RFCs is anything more than a set of informational + guidelines; they are *not* words to live by (remember that RFC stands + for Request For Comments). If you're seriously considering using + private IP addresses, please read them both. + + In any event, RFC 1597 documents the allocation of the following + addresses for use by ``private internets'': + + 10.0.0.0 - 10.255.255.255 + 172.16.0.0 - 172.31.255.255 + 192.168.0.0 - 192.168.255.255 + + Most importantly, it is vital that nothing using these addresses + should ever connect to the global Internet, or have plans to do so. + Please read the above RFCs before considering implementing such + a policy. + + +------------------------------- + +Date: Mon Jan 2 13:55:50 EST 1995 +Subject: Q1.13 - Cache failed lookups + +Q: Does BIND cache negative answers (failed DNS lookups) ? + +A: Yes, BIND 4.9.3 will cache negative answers. + + +------------------------------- + +Date: Fri Feb 10 15:35:07 EST 1995 +Subject: Q1.14 - What does an NS record really do ? + +Q: What does a NS record really do ? + +A: The NS records in your zone data file pointing to the zone's name + servers (as opposed to the servers of delegated subdomains) don't do + much. They're essentially unused, though they are returned in the + authority section of reply packets from your name servers. + +------------------------------- + +Date: Fri Feb 10 15:40:10 EST 1995 +Subject: Q1.15 - DNS ports + +Q: Does anyone out there have any information/experience on exactly which + TCP/UDP ports DNS uses to send and receive queries ? + +A: Use the following chart: + + Prot Src Dst Use + udp 53 53 Queries between servers (eg, recursive queries) + Replies to above + tcp 53 53 Queries with long replies between servers, zone + transfers Replies to above + udp >1023 53 Client queries (sendmail, nslookup, etc ...) + udp 53 >1023 Replies to above + tcp >1023 53 Client queries with long replies + tcp 53 >1023 Replies to above + + Note: >1023 is for non-priv ports on Un*x clients. On other client + types, the limit may be more or less. + + Another point to keep in mind when designing filters for DNS is that a + DNS server uses port 53 both as the source and destination for it's + queries. So, a client queries an initial server from an unreserved + port number to UDP port 53. If the server needs to query another + server to get the required info, it sends a UDP query to that server + with both source and destination ports set to 53. The response is then + sent with the same src=53 dest=53 to the first server which then + responds to the original client from port 53 to the original source + port number. + + The point of all this is that putting in filters to only allow UDP + between a high port and port 53 will not work correctly, you must also + allow the port 53 to port 53 UDP to get through. + + Also, ALL versions of BIND use TCP for queries in some cases. The + original query is tried using UDP. If the response is longer than + the allocated buffer, the resolver will retry the query using a TCP + connection. If you block access to TCP port 53 as suggested above, + you may find that some things don't work. + + Newer version of BIND allow you to configure a list of IP addresses + from which to allow zone transfers. This mechanism can be used to + prevent people from outside downloading your entire namespace. + + +------------------------------- + + +Date: Fri Apr 28 14:19:10 EDT 1995 +Subject: Q1.16 - Obtaining the latest cache file + +Q: What is the cache file and where can I obtain the latest version ? + +A: From the "Name Server Operations Guide" + + 6.3. Cache Initialization + + 6.3.1. root.cache + + The name server needs to know the servers that + are the authoritative name servers for the root + domain of the network. To do this we have to prime + the name server's cache with the addresses of these + higher authorities. The location of this file is + specified in the boot file. ... + + A copy of the comments in the file available from the InterNIC follow: + + ; This file holds the information on root name servers needed to + ; initialize cache of Internet domain name servers + ; (e.g. reference this file in the "cache . <file>" + ; configuration file of BIND domain name servers). + ; + ; This file is made available by InterNIC registration services + ; under anonymous FTP as + ; file /domain/named.root + ; on server FTP.RS.INTERNIC.NET + ; -OR- under Gopher at RS.INTERNIC.NET + ; under menu InterNIC Registration Services (NSI) + ; submenu InterNIC Registration Archives + ; file named.root + ; + ; last update: Oct 5, 1994 + ; related version of root zone: 1994100500 + ; + + If you have a version of dig running, you may obtain the information with + the command + + dig @ns.internic.net . ns + + +------------------------------- + + +Date: Mon Jan 2 13:13:49 EST 1995 +Subject: Q2.1 - Utilities to administer DNS zone files + +Q: I am wondering if there are utilities available to ease the + administration of the zone files in the DNS. + +A: There are a few. Two common ones are h2n and makezones. Both are perl + scripts. h2n is used to convert host tables into zone data files. It + is available for anonymous ftp from + + ftp://ftp.uu.net/published/oreilly/nutshell/dnsbind/dns.tar.Z. + + makezones works from a single file that looks like a forward zone file, + with some additional syntax for special cases. It is included in the + current BIND distribution. The newest version is always available for + anonymous ftp from + + ftp://ftp.cus.cam.ac.uk/pub/software/programs/DNS/makezones + + This package is mirrored at + + ftp://ftp.njit.edu/pub/dns/cus.cam.ac/makezones + + More information may be found using the DNS Resource Directory + + http://www.dns.net/dnsrd + + +------------------------------- + +Date: Thu Dec 1 11:09:11 EST 1994 +Subject: Q2.2 - DIG - Domain Internet Groper + +Q: Where can I find the latest version of DIG ? + +A: The latest and greatest, official, accept-no-substitutes version of DiG + is the one that comes with BIND. Get the latest kit. + +------------------------------- + +Date: Mon May 15 12:57:42 EDT 1995 +Subject: Q2.3 -DNS packet analyser + +Q: I'm looking for a Ethernet packet analyser of public domain or standard + (like tcpdump, snoop, packetman) that is able to determine DNS data + field protocol + +A: There is a free ethernet analyser called Ethload available for PC's + running DOS. The latest filename is ETHLD104.ZIP. It understands lots + of protocols including TCP/UDP. It'll look inside there and display + DNS/BOOTP/ICMP packets etc. (Ed. note: something nice for someone to + add to tcpdump ;^) ). Depending on the ethernet controller it's given + it'll perform slightly differently. It handles NDIS/Novell/Packet + drivers. It works best with Novell's promiscuous mode drivers. + A A SimTel mirror site should have the program available for anonymous + ftp. As an example, + + ftp://oak.oakland.edu/SimTel/msdos/lan/ethld104.zip + + +------------------------------- + +Date: Sun Dec 4 21:15:38 EST 1994 +Subject: Q2.4 - host + +A section from the host man page: + + host looks for information about Internet hosts and domain + names. It gets this information from a set of intercon- + nected servers that are spread across the world. The infor- + mation is stored in the form of "resource records" belonging + to hierarchically organized "zones". + + By default, the program simply converts between host names + and Internet addresses. However, with the -t, -a and -v + options, it can be used to find all of the information about + domain names that is maintained by the domain nameserver + system. The information printed consists of various fields + of the associated resource records that were retrieved. + + The arguments can be either host names (domain names) or + numeric Internet addresses. + +'host' is compatible with both BIND 4.9 and BIND 4.8 + +'host' may be found in contrib/host in the BIND distribution. The latest +version always available for anonymous ftp from + + ftp://ftp.nikhef.nl/pub/network/host.tar.Z + +It may also be found for anonymous ftp from + + ftp://ftp.uu.net/networking/ip/dns/host.tar.Z + +------------------------------- + +Date: Fri Feb 10 15:25:11 EST 1995 +Subject: Q2.5 - Programming with DNS + +Q: How can I use DNS information in my program? + +A: It depends on precisely what you want to do: + + a) Consider whether you need to write a program at all. It may well + be easier to write a shell program (e.g. using awk or perl) to parse + the output of dig, host or nslookup. + + b) If all you need is names and addresses, there will probably be + system routines 'gethostbyname' and 'gethostbyaddr' to provide this + information. + + c) If you need more details, then there are system routines (res_query + and res_search) to assist with making and sending DNS queries. + However, these do not include a routine to parse the resulting answer + (although routines to assist in this task are provided). There is a + separate library available that will take a DNS response and unpick + it into its constituent parts, returning a C structure that can be + used by the program. The source for this library is available for + anonymous ftp from + + ftp://hpux.csc.liv.ac.uk/hpux/Networking/Admin/resparse-* + + +------------------------------- + + +Date: Wed May 3 12:46:50 EDT 1995 +Subject: Q2.6 - A source of information relating to DNS + +Q: Where can I find utilities and tools to help me manage my zone files ? + +A: There are several tools available. Please refer to the "tools" section + of the DNS resources directory: + + http://www.dns.net/dnsrd/tools.html + + +------------------------------- + + +Date: Fri May 12 14:33:40 EDT 1995 +Subject: Q3.1 - TCP/IP Host Naming Conventions + +Q: Is a guide available relating to naming systems ? + +A: One guide/resource is RFC 1178, "Choosing a Name for Your Computer", + which is available via anonymous FTP from + + ftp://ftp.internic.netrfc/rfc1178.txt + + RFCs (Request For Comments) are specifications and guidelines for how + many aspects of TCP/IP and the Internet (should) work. Most RFCs are + fairly technical documents, and some have semantics that are hotly + contested in the newsgroups. But a few, like RFC 1178, are actually + good to read for someone who's just starting along a TCP/IP path. + + +------------------------------- + +Date: Thu Dec 1 10:32:43 EST 1994 +Subject: Q3.2 - What are slaves and forwarders ? + +Q: What are slaves and forwarders ? + +A: "forwarders" is a list of NS records that are _prepended_ to a list + of NS records to query if the data is not available locally. This + allows a rich cache of records to be built up at a centralized + location. This is good for sites that have sporadic or very slow + connections to the Internet. (demand dial-up, for example) It's + also just a good idea for very large distributed sites to increase + the chance that you don't have to go off to the Internet to get an + IP address. (sometimes for addresses across the street!) + + "slave" modifies this to say to replace the list of NS records + with the forwarders entry, instead of prepending to it. This is + for firewalled environments, where the nameserver can't directly + get out to the Internet at all. + + "slave" is meaningless (and invalid, in late-model BINDs) without + "forwarders". "forwarders" is an entry in named.boot, and therefore + applies only to the nameserver (not to resolvers). + +------------------------------- + +Date: Mon Jan 2 13:15:13 EST 1995 +Subject: Q3.3 - When is a server authoritative? + + +Q: What criteria does a server use to determine if it is authoritative + for a domain? + +A: In the case of BIND: + 1) The server contains current data in files for the zone in + question (Data must be current for secondaries, as defined + in the SOA) + 2) The server is told that it is authoritative for the zone, by + a 'primary' or 'secondary' keyword in /etc/named.boot. + 3) The server does an error-free load of the zone. + +Q: I have set up a DNS where there is an SOA record for + the domain, but the server still does not consider itself + authoritative. (I used nslookup and set server=the correct machine.) + It seems to me that something is not matching up somewhere. I suspect + that this is because the service provider has not given us control + over the IP numbers in our own domain, and so while the machine listed + has an A record for an address, there is no corresponding PTR record. + +A: That's possible too, but is unrelated to the first question. + You need to be delegated a zone before outside people will start + talking to your server. However, a server can still be authoritative + for a zone even though it hasn't been delegated authority (it's just + that only the people who use that as their server will see the data). + + A server may consider itself non-authoritative even though it's a + primary if there is a syntax error in the zone (see point 3 above). + +Q: I always believe that it was the NS record that defined authoritative + servers. + +A: Nope, delegation is a separate issue from authoritativeness. + You can still be authoritative, but not delegated. (you can also be + delegated, but not authoritative -- that's a "lame delegation") + +Q: We have had problems in the past from servers that were + authoritative (primary or secondary) but no NS, so other thought they + were not. Some resolvers get very confused when they get non- + authoritative data from the primary server. + +A: Yes, that's a lame delegation. That's not caused by what you said, + but rather by a server which is _not_ authoritative for a zone, yet + someone else (the parent) is saying that a server is authoritative + (via the NS records). + + The set of NS records in the parent zone must be a subset of the + authoritative servers to avoid lame delegations. + + +------------------------------- + +Date: Fri Apr 28 13:26:37 EDT 1995 +Subject: Q3.4 - underscore in host-/domainnames + + +Q: I had a quick look on whether underscores are allowed in host- or + domainnames. + + RFC 1033 allows them. + RFC 1035 doesn't. + RFC 1123 doesn't. + dnswalk complains about them. + + Which RFC is the final authority these days? + +A: Actually RFC 1035 deals with names of machines or names of + mail domains. i.e "_" is not permitted in a hostname or on the + RHS of the "@" in local@domain. + + Underscore is permitted where ever the domain is NOT one of + these types of addresses. + + In general the DNS mostly contains hostnames and mail domainnames. + This will change as new resource record types for authenticating DNS + queries start to appear. + + The latest version of 'host' checks for illegal characters in A/MX + record names and the NS/MX target names. + + After saying all of that, remember that RFC 1123 is a Required Internet + Standard (per RFC 1720), and RFC 1033 isn't. Even 1035 isn't a required + standard. Therefore, RFC 1123 wins, no contest. + + +------------------------------- + +Date: Fri Dec 2 15:03:56 EST 1994 +Subject: Q3.5 - Lame delegation + +Q: What is lame delegation ? + +A: Two things are required for a lame delegation: + 1) A nameserver X is delegated as authoritative for a zone. + 2) Nameserver X is not performing nameservice for that zone. + + Try to think of a lame delegation as a long-term condition, brought + about by a misconfiguration somewhere. Bryan Beecher's 1992 LISA + paper on lame delegations is good to read on this. The problem + really lies in misconfigured nameservers, not "lameness" brought + about by transient outages. The latter is common on the Internet + and hard to avoid, while the former is correctable. + + In order to be performing nameservice for a zone, it must have + (presumed correct) data for that zone, and it must be answering + authoritatively to resolver queries for that zone. (The AA bit is + set in the flags section) + + The "classic" lame delegation case is when nameserver X is delegated + as authoritative for domain Y, yet when you ask Y about X, it + returns non-authoritative data. + + Here's an example that shows what happens most often (using dig, + dnswalk, and doc to find). + + Let's say the domain bogus.com gets registered at the NIC and they + have listed 2 primary name servers, both from their *upstream* + provider: + + bogus.com IN NS ns.bogus.com + bogus.com IN NS upstream.com + bogus.com IN NS upstream1.com + + So the root servers have this info. But when the admins at + bogus.com actually set up their zone files they put something like: + + bogus.com IN NS upstream.com + bogus.com IN NS upstream1.com + + So your name server may have the nameserver info cached (which it + may have gotten from the root). The root says "go ask ns.bogus.com" + since they are authoritative + + This is usually from stuff being registered at the NIC (either + nic.ddn.mil or rs.internic.net), and then updated later, but the + folks who make the updates later never let the folks at the NIC know + about it. + +Q: How can I see if the server is "lame" ? + +A: Go to the authoritative servers one level up, and ask them who + they think is authoritative, and then go ask each one of those + delegees if they think that they themselves are authoritative. If any + responds "no", then you know who the lame delegation is, and who is + delegating lamely to them. You can then send off a message to the + administrators of the level above. + + The 'lamers' script from Byran Beecher really takes care of all this + for you. It parses the lame delegation notices from BIND's syslog + and summarizes them for you. It may be found in the contrib section + of the latest BIND distribution. The latest version is available + for anonymous ftp from + + ftp://terminator.cc.umich.edu/dns/lame-delegations/ + + If you want to actively check for lame delegations, you can use 'doc' + and 'dnswalk'. You can check things manually with 'dig'. + +------------------------------- + +Date: Thu Dec 1 11:10:39 EST 1994 +Subject: Q3.6 - What does opt-class field do? + +Q: Just something I was wondering about: What does the opt-class + field in an name database do (the one that always says IN)? + What would happen if I put something else there instead? + +A: This field is the address class. From the BOG - + + ...is the address class; currently, only one class + is supported: IN for internet addresses and other + internet information. Limited support is included for + the HS class, which is for MIT/Athena ``Hesiod'' + information. + +------------------------------- + +Date: Fri Feb 10 14:49:54 EST 1995 +Subject: Q3.7 - Top level domains + + +A section from RFC 1591: + + 2. The Top Level Structure of the Domain Names + + In the Domain Name System (DNS) naming of computers there is a + hierarchy of names. The root of system is unnamed. There are a set + of what are called "top-level domain names" (TLDs). These are the + generic TLDs (EDU, COM, NET, ORG, GOV, MIL, and INT), and the two + letter country codes from ISO-3166. It is extremely unlikely that + any other TLDs will be created. + +[ Ed note: the ISO-3166 country codes may be found for anonymous ftp from: + + ftp://ftp.isi.edu/in-notes/iana/assignments/country-codes + ftp://ftp.ripe.net/iso3166-codes +] + + Under each TLD may be created a hierarchy of names. Generally, under + the generic TLDs the structure is very flat. That is, many + organizations are registered directly under the TLD, and any further + structure is up to the individual organizations. + + In the country TLDs, there is a wide variation in the structure, in + some countries the structure is very flat, in others there is + substantial structural organization. In some country domains the + second levels are generic categories (such as, AC, CO, GO, and RE), + in others they are based on political geography, and in still others, + organization names are listed directly under the country code. The + organization for the US country domain is described in RFC 1480. + + Each of the generic TLDs was created for a general category of + organizations. The country code domains (for example, FR, NL, KR, + US) are each organized by an administrator for that country. These + administrators may further delegate the management of portions of the + naming tree. These administrators are performing a public service on + behalf of the Internet community. Descriptions of the generic + domains and the US country domain follow. + + Of these generic domains, five are international in nature, and two + are restricted to use by entities in the United States. + + World Wide Generic Domains: + + COM - This domain is intended for commercial entities, that is + companies. This domain has grown very large and there is + concern about the administrative load and system performance if + the current growth pattern is continued. Consideration is + being taken to subdivide the COM domain and only allow future + commercial registrations in the subdomains. + + EDU - This domain was originally intended for all educational + institutions. Many Universities, colleges, schools, + educational service organizations, and educational consortia + have registered here. More recently a decision has been taken + to limit further registrations to 4 year colleges and + universities. Schools and 2-year colleges will be registered + in the country domains (see US Domain, especially K12 and CC, + below). + + NET - This domain is intended to hold only the computers of network + providers, that is the NIC and NOC computers, the + administrative computers, and the network node computers. The + customers of the network provider would have domain names of + their own (not in the NET TLD). + + ORG - This domain is intended as the miscellaneous TLD for + organizations that didn't fit anywhere else. Some non- + government organizations may fit here. + + INT - This domain is for organizations established by international + treaties, or international databases. + + United States Only Generic Domains: + + GOV - This domain was originally intended for any kind of government + office or agency. More recently a decision was taken to + register only agencies of the US Federal government in this + domain. State and local agencies are registered in the country + domains (see US Domain, below). + + MIL - This domain is used by the US military. + + Example country code Domain: + + US - As an example of a country domain, the US domain provides for + the registration of all kinds of entities in the United States + on the basis of political geography, that is, a hierarchy of + <entity-name>.<locality>.<state-code>.US. For example, + "IBM.Armonk.NY.US". In addition, branches of the US domain are + provided within each state for schools (K12), community + colleges (CC), technical schools (TEC), state government + agencies (STATE), councils of governments (COG),libraries + (LIB), museums (MUS), and several other generic types of + entities (see RFC 1480 for details). + + +A section from RFC 1480: + + 2. NAMING STRUCTURE + + The US Domain hierarchy is based on political geography. The + basic name space under US is the state name space, then the + "locality" name space, (like a city, or county) then + organization or computer name and so on. + + For example: + + BERKELEY.CA.US + PORTLAND.WA.US + + There is of course no problem with running out of names. + + The things that are named are individual computers. + + If you register now in one city and then move, the database can + be updated with a new name in your new city, and a pointer can + be set up from your old name to your new name. This type of + pointer is called a CNAME record. + + The use of unregistered names is not effective and causes problems + for other users. Inventing your own name and using it without + registering is not a good idea. + + In addition to strictly geographically names, some special names + are used, such as FED, STATE, AGENCY, DISTRICT, K12, LIB, CC, + CITY, and COUNTY. Several new name spaces have been created, + DNI, GEN, and TEC, and a minor change under the "locality" name + space was made to the existing CITY and COUNTY subdomains by + abbreviating them to CI and CO. A detailed description + follows. + + Below US, Parallel to States: + ----------------------------- + + "FED" - This branch may be used for agencies of the federal + government. For example: <org-name>.<city>.FED.US + + "DNI" - DISTRIBUTED NATIONAL INSTITUTES - The "DNI" branch was + created directly under the top-level US. This branch is to be used + for distributed national institutes; organizations that span state, + regional, and other organizational boundaries; that are national in + scope, and have distributed facilities. For example: + <org-name>.DNI.US. + + Name Space Within States: + ------------------------ + + "locality" - cities, counties, parishes, and townships. Subdomains + under the "locality" would be like CI.<city>.<state>.US, + CO.<county>.<state>.US, or businesses. For example: + Petville.Marvista.CA.US. + + "CI" - This branch is used for city government agencies and is a + subdomain under the "locality" name (like Los Angeles). For example: + Fire-Dept.CI.Los-Angeles.CA.US. + + "CO" - This branch is used for county government agencies and is a + subdomain under the "locality" name (like Los Angeles). For example: + Fire-Dept.CO.San-Diego.CA.US. + + "K12" - This branch may be used for public school districts. A + special name "PVT" can be used in the place of a school district name + for private schools. For example: <school-name>.K12.<state>.US and + <school-name>.PVT.K12.<state>.US. + + "CC" - COMMUNITY COLLEGES - This branch was established for all state + wide community colleges. For example: <school-name>.CC.<state>.US. + + "TEC" - TECHNICAL AND VOCATIONAL SCHOOLS - The branch "TEC" was + established for technical and vocational schools and colleges. For + example: <school-name>.TEC.<state>.US. + + "LIB" - LIBRARIES (STATE, REGIONAL, CITY, COUNTY) - This branch may + be used for libraries only. For example: <lib-name>.LIB.<state>.US. + + "STATE" - This branch may be used for state government agencies. For + example: <org-name>.STATE.<state>.US. + + "GEN" - GENERAL INDEPENDENT ENTITY - This branch is for the things + that don't fit easily into any other structure listed -- things that + might fit in to something like ORG at the top-level. It is best not + to use the same keywords (ORG, EDU, COM, etc.) that are used at the + top-level to avoid confusion. GEN would be used for such things as, + state-wide organizations, clubs, or domain parks. For example: + <org-name>.GEN.<state-code>.US. + + The application form for the US domain may be found for anonymous ftp + from: + + ftp://internic.net/templates/us-domain-template.txt + + The application form for the EDU, COM, NET, ORG, and GOV domains may be + found for anonymous ftp from: + + ftp://internic.net/templates/domain-template.txt + + +------------------------------- + +Date: Sun Nov 27 23:32:41 EST 1994 +Subject: Q3.8 - Classes of networks + +Q: I am just kind of curious to what exactly the differences in classes + of networks are (class A, B, C). + +A: An Internet Protocol (IP) address is 32 bit in length, divided into + two or three parts (the network address, the subnet address (if present), + and the host address. The subnet addresses are only present if the + network has been divided into subnetworks. The length of the network, + subnet, and host field are all variable. + + There are five different network classes. The leftmost bits indicate + the class of the network. + + # bits in # bits in + network host +Class field field Internet Protocol address in binary Ranges +============================================================================ + A 7 24 0NNNNNNN.HHHHHHHH.HHHHHHHH.HHHHHHHH 1-127.x.x.x + B 14 16 10NNNNNN.NNNNNNNN.HHHHHHHH.HHHHHHHH 128-191.x.x.x + C 22 8 110NNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH 192-223.x.x.x + D NOTE 1 1110xxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx 224-239.x.x.x + E NOTE 2 11110xxx.xxxxxxxx.xxxxxxxx.xxxxxxxx 240-247.x.x.x + + where N represents part of the network address and H represents part of + the host address. When the subnet address is defined, the needed bits + are assigned from the host address space. + + NOTE 1: Reserved for multicast groups - RFC 1112 + NOTE 2: Reserved for future use + + 127.0.0.1 is reserved for local loopback. + + Under the current arrangements, many class A IP numbers will not be + assigned whereas class C usage will be at a premium. + +------------------------------- + + +Date: Fri Apr 28 13:31:24 EDT 1995 +Subject: Q3.9 - What is CIDR ? + +Q: What is CIDR ? + +A: CIDR is "Classless Inter-Domain Routing (CIDR). From RFC1517: + + ...Classless Inter-Domain Routing (CIDR) attempts to deal with + these problems by defining a mechanism to slow the growth of + routing tables and reduce the need to allocate new IP network + numbers. + + Much more information may be obtained in RFCs 1467, 1517, 1518, 1520; + with primary reference 1519 + + +------------------------------- + + +Date: Fri Apr 28 13:31:24 EDT 1995 +Subject: Q3.10 - What is the rule for glue ? + +Q: What is the rule for glue ? + +A: A glue record is an A record for a name that appears on the right-hand + side of a NS record. So, if you have this: + + sub.foobar.com. IN NS dns.sub.foobar.com. + dns.sub.foobar.com. IN A 1.2.3.4 + + then the second record is a glue record (for the NS record above it). + + You need glue records when -- and only when -- you are delegating + authority to a nameserver that "lives" in the domain you are delegating + *and* you aren't a secondary server for that domain. + + In other words, in the example above, you need to add an A record + for dns.sub.foobar.com since it "lives" in the domain it serves. + This boot strapping information is necessary: How are you supposed + to find out the IP address of the nameserver for domain FOO if the + nameserver for FOO "lives" in FOO? + + If you have this NS record: + + sub.foobar.com. IN NS dns.xyz123.com. + + you do NOT need a glue record, and, in fact, adding one is a very + bad idea. If you add one, and then the folks at xyz123.com change + the address, then you will be passing out incorrect data. + + Also, unless you actually have a machine called something.IN-ADDR.ARPA, + you will never have any glue records present in any of your "reverse" + files. + + There is also a sort of implicit glue record that can be useful (or + confusing :^) ). If the parent server (abc.foobar.com domain in example + above) is a secondary server for the child, then the A record will be + fetched from the child server when the zone transfer is done. The glue + is still there but it's a little different, it's in the ip address in + the named.boot line instead of explicitly in the data. In this case + you can leave out the explicit glue A record and leave the manually + configured "glue" in just the one place in the named.boot file. + + RFC 1537 says it quite nicely: + + 2. Glue records + + Quite often, people put unnecessary glue (A) records in their + zone files. Even worse is that I've even seen *wrong* glue records + for an external host in a primary zone file! Glue records need only + be in a zone file if the server host is within the zone and there + is no A record for that host elsewhere in the zone file. + + Old BIND versions ("native" 4.8.3 and older versions) showed the + problem that wrong glue records could enter secondary servers in + a zone transfer. |