BIND 9 Administrator Reference Manual

• 1. Introduction to DNS and BIND 9
  • 1.1. Scope of Document
  • 1.2. Organization of This Document
  • 1.3. Conventions Used in This Document
  • 1.4. The Domain Name System (DNS)
    • 1.4.1. DNS Fundamentals
    • 1.4.2. Authority and Delegation
    • 1.4.3. Root Servers
    • 1.4.4. Name Resolution
    • 1.4.5. DNS Protocol and Queries
    • 1.4.6. DNS and BIND 9
  • 1.5. DNS Security Overview
• 2. Resource Requirements
  • 2.1. Hardware Requirements
  • 2.2. CPU Requirements
  • 2.3. Memory Requirements
  • 2.4. Name Server-Intensive Environment Issues
  • 2.5. Supported Platforms
    • 2.5.1. Regularly Tested Platforms
    • 2.5.2. Best-Effort
    • 2.5.3. Community-Maintained
  • 2.6. Unsupported Platforms
  • 2.7. Installing BIND 9
• 3. Configurations and Zone Files
  • 3.1. Introduction
    • 3.1.1. named.conf Base File
    • 3.1.2. example.com Base Zone File
    • 3.1.3. Other Zone Files
    • 3.1.4. localhost Zone File
    • 3.1.5. localhost Reverse-Mapped Zone File
  • 3.2. Authoritative Name Servers
    • 3.2.1. Primary Authoritative Name Server
    • 3.2.2. Secondary Authoritative Name Server
  • 3.3. Resolver (Caching Name Servers)
    • 3.3.1. Additional Zone Files
    • 3.3.2. Resolver Configuration
    • 3.3.3. Forwarding Resolver Configuration
    • 3.3.4. Selective Forwarding Resolver Configuration
  • 3.4. Load Balancing
  • 3.5. Zone File
    • 3.5.1. Resource Records
    • 3.5.2. Discussion of MX Records
    • 3.5.3. Setting TTLs
    • 3.5.4. Inverse Mapping in IPv4
    • 3.5.5. Other Zone File Directives
    • 3.5.6. BIND Primary File Extension: the $GENERATE Directive
    • 3.5.7. Additional File Formats
• 4. Name Server Operations
  • 4.1. Tools for Use With the Name Server Daemon
    • 4.1.1. Diagnostic Tools
    • 4.1.2. Administrative Tools
  • 4.2. Signals
  • 4.3. Plugins
  • 4.4. Configuring Plugins
  • 4.5. Developing Plugins
• 5. Advanced Configurations
  • 5.1. Dynamic Update
    • 5.1.1. The Journal File
  • 5.2. Incremental Zone Transfers (IXFR)
  • 5.3. Split DNS
    • 5.3.1. Example Split DNS Setup
  • 5.4. IPv6 Support in BIND 9
    • 5.4.1. Address Lookups Using AAAA Records
    • 5.4.2. Address-to-Name Lookups Using Nibble Format
  • 5.5. Dynamically Loadable Zones (DLZ)
    • 5.5.1. Configuring DLZ
    • 5.5.2. Sample DLZ Module
  • 5.6. Dynamic Database (DynDB)
    • 5.6.1. Configuring DynDB
    • 5.6.2. Sample DynDB Module
  • 5.7. Catalog Zones
    • 5.7.1. Principle of Operation
    • 5.7.2. Configuring Catalog Zones
    • 5.7.3. Catalog Zone Format
    • 5.7.4. Catalog Zone Custom Properties
    • 5.7.5. Change of Ownership (coo)
  • 5.8. DNS Firewalls and Response Policy Zones
    • 5.8.1. Why Use a DNS Firewall?
    • 5.8.2. What Can a DNS Firewall Do?
    • 5.8.3. Creating and Maintaining RPZ Rule Sets
    • 5.8.4. Limitations of DNS RPZ
    • 5.8.5. DNS Firewall Usage Examples
    • 5.8.6. Keeping Firewall Policies Updated
    • 5.8.7. Performance and Scalability When Using Multiple RPZs
    • 5.8.8. Practical Tips for DNS Firewalls and DNS RPZ
    • 5.8.9. Creating a Simple Walled Garden Triggered by IP Address
    • 5.8.10. A Known Inconsistency in DNS RPZ’s NSDNAME and NSIP Rules
    • 5.8.11. Example: Using RPZ to Disable Mozilla DoH-by-Default
• 6. Security Configurations
  • 6.1. Access Control Lists
  • 6.2. Chroot and Setuid
    • 6.2.1. The chroot Environment
    • 6.2.2. Using the setuid Function
  • 6.3. Dynamic Update Security
  • 6.4. TSIG
    • 6.4.1. Generating a Shared Key
    • 6.4.2. Loading a New Key
    • 6.4.3. Instructing the Server to Use a Key
    • 6.4.4. TSIG-Based Access Control
    • 6.4.5. Errors
  • 6.5. TKEY
  • 6.6. SIG(0)
• 7. DNSSEC
  • 7.1. DNSSEC Keys
    • 7.1.1. Generating Keys
    • 7.1.2. Signing the Zone
    • 7.1.3. Configuring Servers for DNSSEC
  • 7.2. DNSSEC, Dynamic Zones, and Automatic Signing
    • 7.2.1. Converting From Insecure to Secure
    • 7.2.2. Dynamic DNS Update Method
    • 7.2.3. Fully Automatic Zone Signing
    • 7.2.4. Private Type Records
    • 7.2.5. DNSKEY Rollovers
    • 7.2.6. Dynamic DNS Update Method
    • 7.2.7. Automatic Key Rollovers
    • 7.2.8. NSEC3PARAM Rollovers via UPDATE
    • 7.2.9. Converting From NSEC to NSEC3
    • 7.2.10. Converting From NSEC3 to NSEC
    • 7.2.11. Converting From Secure to Insecure
    • 7.2.12. Periodic Re-signing
    • 7.2.13. NSEC3 and OPTOUT
  • 7.3. Dynamic Trust Anchor Management
    • 7.3.1. Validating Resolver
    • 7.3.2. Authoritative Server
  • 7.4. PKCS#11 (Cryptoki) Support
    • 7.4.1. Prerequisites
    • 7.4.2. Building SoftHSMv2
    • 7.4.3. OpenSSL-based PKCS#11
    • 7.4.4. Using the HSM
    • 7.4.5. Key Generation
    • 7.4.6. Specifying the Engine on the Command Line
    • 7.4.7. Running named With Automatic Zone Re-signing
• 8. Configuration Reference
  • 8.1. Configuration File Elements
    • 8.1.1. Address Match Lists
    • 8.1.2. Comment Syntax
  • 8.2. Configuration File Grammar
    • 8.2.1. acl Statement Grammar
    • 8.2.2. acl Statement Definition and Usage
    • 8.2.3. controls Statement Grammar
    • 8.2.4. controls Statement Definition and Usage
    • 8.2.5. include Statement Grammar
    • 8.2.6. include Statement Definition and Usage
    • 8.2.7. key Statement Grammar
    • 8.2.8. key Statement Definition and Usage
    • 8.2.9. logging Statement Grammar
    • 8.2.10. logging Statement Definition and Usage
    • 8.2.11. parental-agents Statement Grammar
    • 8.2.12. parental-agents Statement Definition and Usage
    • 8.2.13. primaries Statement Grammar
    • 8.2.14. primaries Statement Definition and Usage
    • 8.2.15. options Statement Grammar
    • 8.2.16. options Statement Definition and Usage
    • 8.2.17. server Statement Grammar
    • 8.2.18. server Statement Definition and Usage
    • 8.2.19. statistics-channels Statement Grammar
    • 8.2.20. statistics-channels Statement Definition and Usage
    • 8.2.21. tls Statement Grammar
    • 8.2.22. tls Statement Definition and Usage
    • 8.2.23. http Statement Grammar
    • 8.2.24. http Statement Definition and Usage
    • 8.2.25. trust-anchors Statement Grammar
    • 8.2.26. trust-anchors Statement Definition and Usage
    • 8.2.27. dnssec-policy Statement Grammar
    • 8.2.28. dnssec-policy Statement Definition and Usage
    • 8.2.29. managed-keys Statement Grammar
    • 8.2.30. managed-keys Statement Definition and Usage
    • 8.2.31. trusted-keys Statement Grammar
    • 8.2.32. trusted-keys Statement Definition and Usage
    • 8.2.33. view Statement Grammar
    • 8.2.34. view Statement Definition and Usage
    • 8.2.35. zone Statement Grammar
    • 8.2.36. zone Statement Definition and Usage
  • 8.3. BIND 9 Statistics
    • 8.3.1. The Statistics File
    • 8.3.2. Statistics Counters
• 9. Troubleshooting
  • 9.1. Common Problems
    • 9.1.1. It’s Not Working; How Can I Figure Out What’s Wrong?
    • 9.1.2. EDNS Compliance Issues
    • 9.1.3. Inspecting Encrypted DNS Traffic
  • 9.2. Incrementing and Changing the Serial Number
  • 9.3. Where Can I Get Help?
• 10. Building BIND 9
  • 10.1. Required Libraries
  • 10.2. Optional Features
  • 10.3. macOS

Appendices

• Release Notes
  • Introduction
  • Supported Platforms
  • Download
  • Notes for BIND 9.19.1
  • Notes for BIND 9.19.0
  • License
  • End of Life
  • Thank You
• DNSSEC Guide
  • Preface
  • Introduction
  • Getting Started
  • Validation
  • Signing
  • Basic DNSSEC Troubleshooting
  • Advanced Discussions
  • Recipes
  • Commonly Asked Questions
• A Brief History of the DNS and BIND
• General DNS Reference Information
  • Requests for Comment (RFCs)
  • Notes
  • Internet Drafts
• Manual Pages
  • arpaname - translate IP addresses to the corresponding ARPA names
  • ddns-confgen - TSIG key generation tool
  • delv - DNS lookup and validation utility
  • dig - DNS lookup utility
  • dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY
  • dnssec-dsfromkey - DNSSEC DS RR generation tool
  • dnssec-importkey - import DNSKEY records from external systems so they can be managed
  • dnssec-keyfromlabel - DNSSEC key generation tool
  • dnssec-keygen: DNSSEC key generation tool
  • dnssec-revoke - set the REVOKED bit on a DNSSEC key
  • dnssec-settime: set the key timing metadata for a DNSSEC key
  • dnssec-signzone - DNSSEC zone signing tool
  • dnssec-verify - DNSSEC zone verification tool
  • dnstap-read - print dnstap data in human-readable form
  • filter-aaaa.so - filter AAAA in DNS responses when A is present
  • host - DNS lookup utility
  • mdig - DNS pipelined lookup utility
  • named-checkconf - named configuration file syntax checking tool
  • named-checkzone - zone file validation tool
  • named-compilezone - zone file converting tool
  • named-journalprint - print zone journal in human-readable form
  • named-nzd2nzf - convert an NZD database to NZF text format
  • named-rrchecker - syntax checker for individual DNS resource records
  • named.conf - configuration file for named
  • named - Internet domain name server
  • nsec3hash - generate NSEC3 hash
  • nslookup - query Internet name servers interactively
  • nsupdate - dynamic DNS update utility
  • rndc-confgen - rndc key generation tool
  • rndc.conf - rndc configuration file
  • rndc - name server control utility
  • tsig-keygen - TSIG key generation tool