summaryrefslogtreecommitdiffstats
path: root/doc/arm/introduction.rst
blob: 1f7be6c42a338dc38721ea6f5a56792fc0a45d8d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

.. _Introduction:

Introduction
============

The Internet Domain Name System (DNS) consists of the syntax to specify
the names of entities in the Internet in a hierarchical manner, the
rules used for delegating authority over names, and the system
implementation that actually maps names to Internet addresses. DNS data
is maintained in a group of distributed hierarchical databases.

.. _doc_scope:

Scope of Document
-----------------

The Berkeley Internet Name Domain (BIND) implements a domain name server
for a number of operating systems. This document provides basic
information about the installation and care of the Internet Systems
Consortium (ISC) BIND version 9 software package for system
administrators.

This manual covers BIND version |release|.

.. _organization:

Organization of This Document
-----------------------------

In this document, *Chapter 1* introduces the basic DNS and BIND
concepts. *Chapter 2* describes resource requirements for running BIND
in various environments. Information in *Chapter 3* is *task-oriented*
in its presentation and is organized functionally, to aid in the process
of installing the BIND 9 software. The task-oriented section is followed
by *Chapter 4*, which is organized as a reference manual to aid in the ongoing
maintenance of the software. *Chapter 5* contains more advanced concepts that
the system administrator may need for implementing certain options. *Chapter 6*
addresses security considerations, and *Chapter 7* contains troubleshooting help.
The main body of the document is followed by several *appendices* which contain
useful reference information, such as a *bibliography* and historic
information related to BIND and the Domain Name System.

.. _conventions:

Conventions Used in This Document
---------------------------------

In this document, we generally use ``Fixed Width`` text to indicate the
following types of information:

- pathnames
- filenames
- URLs
- hostnames
- mailing list names
- new terms or concepts
- literal user input
- program output
- keywords
- variables

Text in "quotes," **bold**, or *italics* is also used for emphasis or clarity.

.. _dns_overview:

The Domain Name System (DNS)
----------------------------

This document explains the installation and upkeep
of the BIND (Berkeley Internet Name Domain) software package. We
begin by reviewing the fundamentals of the Domain Name System (DNS) as
they relate to BIND.

.. _dns_fundamentals:

DNS Fundamentals
~~~~~~~~~~~~~~~~

The Domain Name System (DNS) is a hierarchical, distributed database. It
stores information for mapping Internet host names to IP addresses and
vice versa, mail routing information, and other data used by Internet
applications.

Clients look up information in the DNS by calling a *resolver* library,
which sends queries to one or more *name servers* and interprets the
responses. The BIND 9 software distribution contains a name server,
``named``, and a set of associated tools.

.. _domain_names:

Domains and Domain Names
~~~~~~~~~~~~~~~~~~~~~~~~

The data stored in the DNS is identified by *domain names* that are
organized as a tree according to organizational or administrative
boundaries. Each node of the tree, called a *domain*, is given a label.
The domain name of the node is the concatenation of all the labels on
the path from the node to the *root* node. This is represented in
written form as a string of labels listed from right to left and
separated by dots. A label need only be unique within its parent domain.

For example, a domain name for a host at the company *Example, Inc.*
could be ``ourhost.example.com``, where ``com`` is the top-level domain
to which ``ourhost.example.com`` belongs, ``example`` is a subdomain of
``com``, and ``ourhost`` is the name of the host.

For administrative purposes, the name space is partitioned into areas
called *zones*, each starting at a node and extending down to the "leaf"
nodes or to nodes where other zones start. The data for each zone is
stored in a *name server*, which answers queries about the zone using
the *DNS protocol*.

The data associated with each domain name is stored in the form of
*resource records* (RRs). Some of the supported resource record types
are described in :ref:`types_of_resource_records_and_when_to_use_them`.

For more detailed information about the design of the DNS and the DNS
protocol, please refer to the standards documents listed in :ref:`rfcs`.

Zones
~~~~~

To properly operate a name server, it is important to understand the
difference between a *zone* and a *domain*.

As stated previously, a zone is a point of delegation in the DNS tree. A
zone consists of those contiguous parts of the domain tree for which a
name server has complete information and over which it has authority. It
contains all domain names from a certain point downward in the domain
tree except those which are delegated to other zones. A delegation point
is marked by one or more *NS records* in the parent zone, which should
be matched by equivalent NS records at the root of the delegated zone.

For instance, consider the ``example.com`` domain, which includes names
such as ``host.aaa.example.com`` and ``host.bbb.example.com``, even
though the ``example.com`` zone includes only delegations for the
``aaa.example.com`` and ``bbb.example.com`` zones. A zone can map
exactly to a single domain, but could also include only part of a
domain, the rest of which could be delegated to other name servers.
Every name in the DNS tree is a *domain*, even if it is *terminal*, that
is, has no *subdomains*. Every subdomain is a domain and every domain
except the root is also a subdomain. The terminology is not intuitive
and we suggest reading :rfc:`1033`, :rfc:`1034`, and :rfc:`1035` to gain a complete
understanding of this difficult and subtle topic.

Though BIND 9 is called a "domain name server," it deals primarily in
terms of zones. The ``primary`` and ``secondary`` declarations in the ``named.conf``
file specify zones, not domains. When BIND asks some other site if it is
willing to be a secondary server for a *domain*, it is actually asking
for secondary service for some collection of *zones*.

.. _auth_servers:

Authoritative Name Servers
~~~~~~~~~~~~~~~~~~~~~~~~~~

Each zone is served by at least one *authoritative name server*, which
contains the complete data for the zone. To make the DNS tolerant of
server and network failures, most zones have two or more authoritative
servers, on different networks.

Responses from authoritative servers have the "authoritative answer"
(AA) bit set in the response packets. This makes them easy to identify
when debugging DNS configurations using tools like ``dig`` (:ref:`diagnostic_tools`).

.. _primary_master:

The Primary Server
^^^^^^^^^^^^^^^^^^

The authoritative server, where the main copy of the zone data is
maintained, is called the *primary* (formerly *master*) server, or simply the
*primary*. Typically it loads the zone contents from some local file
edited by humans or perhaps generated mechanically from some other local
file which is edited by humans. This file is called the *zone file* or
*master file*.

In some cases, however, the master file may not be edited by humans at
all, but may instead be the result of *dynamic update* operations.

.. _secondary_server:

Secondary Servers
^^^^^^^^^^^^^^^^^

The other authoritative servers, the *secondary* servers (formerly known as
*slave* servers) load the zone contents from another server using a
replication process known as a *zone transfer*. Typically the data is
transferred directly from the primary, but it is also possible to
transfer it from another secondary. In other words, a secondary server may
itself act as a primary to a subordinate secondary server.

Periodically, the secondary server must send a refresh query to determine
whether the zone contents have been updated. This is done by sending a
query for the zone's Start of Authority (SOA) record and checking whether the SERIAL field
has been updated; if so, a new transfer request is initiated. The timing
of these refresh queries is controlled by the SOA REFRESH and RETRY
fields, but can be overridden with the ``max-refresh-time``,
``min-refresh-time``, ``max-retry-time``, and ``min-retry-time``
options.

If the zone data cannot be updated within the time specified by the SOA
EXPIRE option (up to a hard-coded maximum of 24 weeks), the secondary
zone expires and no longer responds to queries.

.. _stealth_server:

Stealth Servers
^^^^^^^^^^^^^^^

Usually, all of the zone's authoritative servers are listed in NS
records in the parent zone. These NS records constitute a *delegation*
of the zone from the parent. The authoritative servers are also listed
in the zone file itself, at the *top level* or *apex* of the zone.
Servers that are not in the parent's NS delegation can be listed in the
zone's top-level NS records, but servers that are not present at the
zone's top level cannot be listed in the parent's delegation.

A *stealth server* is a server that is authoritative for a zone but is
not listed in that zone's NS records. Stealth servers can be used for
keeping a local copy of a zone, to speed up access to the zone's records
or to make sure that the zone is available even if all the "official"
servers for the zone are inaccessible.

A configuration where the primary server itself is a stealth
server is often referred to as a "hidden primary" configuration. One use
for this configuration is when the primary is behind a firewall
and is therefore unable to communicate directly with the outside world.

.. _cache_servers:

Caching Name Servers
~~~~~~~~~~~~~~~~~~~~

The resolver libraries provided by most operating systems are *stub
resolvers*, meaning that they are not capable of performing the full DNS
resolution process by themselves by talking directly to the
authoritative servers. Instead, they rely on a local name server to
perform the resolution on their behalf. Such a server is called a
*recursive* name server; it performs *recursive lookups* for local
clients.

To improve performance, recursive servers cache the results of the
lookups they perform. Since the processes of recursion and caching are
intimately connected, the terms *recursive server* and *caching server*
are often used synonymously.

The length of time for which a record may be retained in the cache of a
caching name server is controlled by the Time-To-Live (TTL) field
associated with each resource record.

.. _forwarder:

Forwarding
^^^^^^^^^^

Even a caching name server does not necessarily perform the complete
recursive lookup itself. Instead, it can *forward* some or all of the
queries that it cannot satisfy from its cache to another caching name
server, commonly referred to as a *forwarder*.

Forwarders are typically used when an administrator does not wish for
all the servers at a given site to interact directly with the rest of
the Internet. For example, a common scenario is when multiple internal
DNS servers are behind an Internet firewall. Servers behind the firewall
forward their requests to the server with external access, which queries
Internet DNS servers on the internal servers' behalf.

Another scenario (largely now superseded by Response Policy Zones) is to
send queries first to a custom server for RBL processing before
forwarding them to the wider Internet.

There may be one or more forwarders in a given setup. The order in which
the forwarders are listed in ``named.conf`` does not determine the
sequence in which they are queried; rather, ``named`` uses the response
times from previous queries to select the server that is likely to
respond the most quickly. A server that has not yet been queried is
given an initial small random response time to ensure that it is tried
at least once. Dynamic adjustment of the recorded response times ensures
that all forwarders are queried, even those with slower response times.
This permits changes in behavior based on server responsiveness.

.. _multi_role:

Name Servers in Multiple Roles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The BIND name server can simultaneously act as a primary for some zones,
a secondary for other zones, and as a caching (recursive) server for a set
of local clients.

However, since the functions of authoritative name service and
caching/recursive name service are logically separate, it is often
advantageous to run them on separate server machines. A server that only
provides authoritative name service (an *authoritative-only* server) can
run with recursion disabled, improving reliability and security. A
server that is not authoritative for any zones and only provides
recursive service to local clients (a *caching-only* server) does not
need to be reachable from the Internet at large and can be placed inside
a firewall.