.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. .. SPDX-License-Identifier: MPL-2.0 .. .. This Source Code Form is subject to the terms of the Mozilla Public .. License, v. 2.0. If a copy of the MPL was not distributed with this .. file, you can obtain one at https://mozilla.org/MPL/2.0/. .. .. See the COPYRIGHT file distributed with this work for additional .. information regarding copyright ownership. .. _advanced: Advanced Configurations ======================= .. _dynamic_update: Dynamic Update -------------- Dynamic update is a method for adding, replacing, or deleting records in a primary server by sending it a special form of DNS messages. The format and meaning of these messages is specified in :rfc:`2136`. Dynamic update is enabled by including an :any:`allow-update` or an :any:`update-policy` clause in the :any:`zone` statement. If the zone's :any:`update-policy` is set to ``local``, updates to the zone are permitted for the key ``local-ddns``, which is generated by :iscman:`named` at startup. See :ref:`dynamic_update_policies` for more details. Dynamic updates using Kerberos-signed requests can be made using the TKEY/GSS protocol, either by setting the :any:`tkey-gssapi-keytab` option or by setting both the :any:`tkey-gssapi-credential` and :any:`tkey-domain` options. Once enabled, Kerberos-signed requests are matched against the update policies for the zone, using the Kerberos principal as the signer for the request. Updating of secure zones (zones using DNSSEC) follows :rfc:`3007`: RRSIG, NSEC, and NSEC3 records affected by updates are automatically regenerated by the server using an online zone key. Update authorization is based on transaction signatures and an explicit server policy. .. _journal: The Journal File ~~~~~~~~~~~~~~~~ All changes made to a zone using dynamic update are stored in the zone's journal file. This file is automatically created by the server when the first dynamic update takes place. The name of the journal file is formed by appending the extension ``.jnl`` to the name of the corresponding zone file unless specifically overridden. The journal file is in a binary format and should not be edited manually. The server also occasionally writes ("dumps") the complete contents of the updated zone to its zone file. This is not done immediately after each dynamic update because that would be too slow when a large zone is updated frequently. Instead, the dump is delayed by up to 15 minutes, allowing additional updates to take place. During the dump process, transient files are created with the extensions ``.jnw`` and ``.jbk``; under ordinary circumstances, these are removed when the dump is complete, and can be safely ignored. When a server is restarted after a shutdown or crash, it replays the journal file to incorporate into the zone any updates that took place after the last zone dump. Changes that result from incoming incremental zone transfers are also journaled in a similar way. The zone files of dynamic zones cannot normally be edited by hand because they are not guaranteed to contain the most recent dynamic changes; those are only in the journal file. The only way to ensure that the zone file of a dynamic zone is up-to-date is to run :option:`rndc stop`. To make changes to a dynamic zone manually, follow these steps: first, disable dynamic updates to the zone using :option:`rndc freeze zone `. This updates the zone file with the changes stored in its ``.jnl`` file. Then, edit the zone file. Finally, run :option:`rndc thaw zone ` to reload the changed zone and re-enable dynamic updates. :option:`rndc sync zone ` updates the zone file with changes from the journal file without stopping dynamic updates; this may be useful for viewing the current zone state. To remove the ``.jnl`` file after updating the zone file, use :option:`rndc sync -clean `. .. _notify: NOTIFY ------ DNS NOTIFY is a mechanism that allows primary servers to notify their secondary servers of changes to a zone's data. In response to a NOTIFY message from a primary server, the secondary checks to see that its version of the zone is the current version and, if not, initiates a zone transfer. For more information about DNS NOTIFY, see the description of the :namedconf:ref:`notify` and :namedconf:ref`also-notify` statements. The NOTIFY protocol is specified in :rfc:`1996`. .. note:: As a secondary zone can also be a primary to other secondaries, :iscman:`named`, by default, sends NOTIFY messages for every zone it loads. .. _incremental_zone_transfers: Incremental Zone Transfers (IXFR) --------------------------------- The incremental zone transfer (IXFR) protocol is a way for secondary servers to transfer only changed data, instead of having to transfer an entire zone. The IXFR protocol is specified in :rfc:`1995`. When acting as a primary server, BIND 9 supports IXFR for those zones where the necessary change history information is available. These include primary zones maintained by dynamic update and secondary zones whose data was obtained by IXFR. For manually maintained primary zones, and for secondary zones obtained by performing a full zone transfer (AXFR), IXFR is supported only if the option :any:`ixfr-from-differences` is set to ``yes``. When acting as a secondary server, BIND 9 attempts to use IXFR unless it is explicitly disabled. For more information about disabling IXFR, see the description of the :any:`request-ixfr` clause of the :namedconf:ref:`server` statement. When a secondary server receives a zone via AXFR, it creates a new copy of the zone database and then swaps it into place; during the loading process, queries continue to be served from the old database with no interference. When receiving a zone via IXFR, however, changes are applied to the running zone, which may degrade query performance during the transfer. If a server receiving an IXFR request determines that the response size would be similar in size to an AXFR response, it may wish to send AXFR instead. The threshold at which this determination is made can be configured using the :any:`max-ixfr-ratio` option. .. _split_dns: Split DNS --------- Setting up different views of the DNS space to internal and external resolvers is usually referred to as a *split DNS* setup. There are several reasons an organization might want to set up its DNS this way. One common reason to use split DNS is to hide "internal" DNS information from "external" clients on the Internet. There is some debate as to whether this is actually useful. Internal DNS information leaks out in many ways (via email headers, for example) and most savvy "attackers" can find the information they need using other means. However, since listing addresses of internal servers that external clients cannot possibly reach can result in connection delays and other annoyances, an organization may choose to use split DNS to present a consistent view of itself to the outside world. Another common reason for setting up a split DNS system is to allow internal networks that are behind filters or in :rfc:`1918` space (reserved IP space, as documented in :rfc:`1918`) to resolve DNS on the Internet. Split DNS can also be used to allow mail from outside back into the internal network. .. _split_dns_sample: Example Split DNS Setup ~~~~~~~~~~~~~~~~~~~~~~~ Let's say a company named *Example, Inc.* (``example.com``) has several corporate sites that have an internal network with reserved Internet Protocol (IP) space and an external demilitarized zone (DMZ), or "outside" section of a network, that is available to the public. Example, Inc. wants its internal clients to be able to resolve external hostnames and to exchange mail with people on the outside. The company also wants its internal resolvers to have access to certain internal-only zones that are not available at all outside of the internal network. To accomplish this, the company sets up two sets of name servers. One set is on the inside network (in the reserved IP space) and the other set is on bastion hosts, which are "proxy" hosts in the DMZ that can talk to both sides of its network. The internal servers are configured to forward all queries, except queries for ``site1.internal``, ``site2.internal``, ``site1.example.com``, and ``site2.example.com``, to the servers in the DMZ. These internal servers have complete sets of information for ``site1.example.com``, ``site2.example.com``, ``site1.internal``, and ``site2.internal``. To protect the ``site1.internal`` and ``site2.internal`` domains, the internal name servers must be configured to disallow all queries to these domains from any external hosts, including the bastion hosts. The external servers, which are on the bastion hosts, are configured to serve the "public" version of the ``site1.example.com`` and ``site2.example.com`` zones. This could include things such as the host records for public servers (``www.example.com`` and ``ftp.example.com``) and mail exchange (MX) records (``a.mx.example.com`` and ``b.mx.example.com``). In addition, the public ``site1.example.com`` and ``site2.example.com`` zones should have special MX records that contain wildcard (``*``) records pointing to the bastion hosts. This is needed because external mail servers have no other way of determining how to deliver mail to those internal hosts. With the wildcard records, the mail is delivered to the bastion host, which can then forward it on to internal hosts. Here's an example of a wildcard MX record: :: * IN MX 10 external1.example.com. Now that they accept mail on behalf of anything in the internal network, the bastion hosts need to know how to deliver mail to internal hosts. The resolvers on the bastion hosts need to be configured to point to the internal name servers for DNS resolution. Queries for internal hostnames are answered by the internal servers, and queries for external hostnames are forwarded back out to the DNS servers on the bastion hosts. For all of this to work properly, internal clients need to be configured to query *only* the internal name servers for DNS queries. This could also be enforced via selective filtering on the network. If everything has been set properly, Example, Inc.'s internal clients are now able to: - Look up any hostnames in the ``site1.example.com`` and ``site2.example.com`` zones. - Look up any hostnames in the ``site1.internal`` and ``site2.internal`` domains. - Look up any hostnames on the Internet. - Exchange mail with both internal and external users. Hosts on the Internet are able to: - Look up any hostnames in the ``site1.example.com`` and ``site2.example.com`` zones. - Exchange mail with anyone in the ``site1.example.com`` and ``site2.example.com`` zones. Here is an example configuration for the setup just described above. Note that this is only configuration information; for information on how to configure the zone files, see :ref:`sample_configuration`. Internal DNS server config: :: acl internals { 172.16.72.0/24; 192.168.1.0/24; }; acl externals { bastion-ips-go-here; }; options { ... ... forward only; // forward to external servers forwarders { bastion-ips-go-here; }; // sample allow-transfer (no one) allow-transfer { none; }; // restrict query access allow-query { internals; externals; }; // restrict recursion allow-recursion { internals; }; ... ... }; // sample primary zone zone "site1.example.com" { type primary; file "m/site1.example.com"; // do normal iterative resolution (do not forward) forwarders { }; allow-query { internals; externals; }; allow-transfer { internals; }; }; // sample secondary zone zone "site2.example.com" { type secondary; file "s/site2.example.com"; primaries { 172.16.72.3; }; forwarders { }; allow-query { internals; externals; }; allow-transfer { internals; }; }; zone "site1.internal" { type primary; file "m/site1.internal"; forwarders { }; allow-query { internals; }; allow-transfer { internals; } }; zone "site2.internal" { type secondary; file "s/site2.internal"; primaries { 172.16.72.3; }; forwarders { }; allow-query { internals }; allow-transfer { internals; } }; External (bastion host) DNS server configuration: :: acl internals { 172.16.72.0/24; 192.168.1.0/24; }; acl externals { bastion-ips-go-here; }; options { ... ... // sample allow-transfer (no one) allow-transfer { none; }; // default query access allow-query { any; }; // restrict cache access allow-query-cache { internals; externals; }; // restrict recursion allow-recursion { internals; externals; }; ... ... }; // sample secondary zone zone "site1.example.com" { type primary; file "m/site1.foo.com"; allow-transfer { internals; externals; }; }; zone "site2.example.com" { type secondary; file "s/site2.foo.com"; primaries { another_bastion_host_maybe; }; allow-transfer { internals; externals; } }; In the ``resolv.conf`` (or equivalent) on the bastion host(s): :: search ... nameserver 172.16.72.2 nameserver 172.16.72.3 nameserver 172.16.72.4 .. _ipv6: IPv6 Support in BIND 9 ---------------------- BIND 9 fully supports all currently defined forms of IPv6 name-to-address and address-to-name lookups. It also uses IPv6 addresses to make queries when running on an IPv6-capable system. For forward lookups, BIND 9 supports only AAAA records. :rfc:`3363` deprecated the use of A6 records, and client-side support for A6 records was accordingly removed from BIND 9. However, authoritative BIND 9 name servers still load zone files containing A6 records correctly, answer queries for A6 records, and accept zone transfer for a zone containing A6 records. For IPv6 reverse lookups, BIND 9 supports the traditional "nibble" format used in the ``ip6.arpa`` domain, as well as the older, deprecated ``ip6.int`` domain. Older versions of BIND 9 supported the "binary label" (also known as "bitstring") format, but support of binary labels has been completely removed per :rfc:`3363`. Many applications in BIND 9 do not understand the binary label format at all anymore, and return an error if one is given. In particular, an authoritative BIND 9 name server will not load a zone file containing binary labels. Address Lookups Using AAAA Records ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the deprecated A6 record, specifies the entire IPv6 address in a single record. For example: :: $ORIGIN example.com. host 3600 IN AAAA 2001:db8::1 Use of IPv4-in-IPv6 mapped addresses is not recommended. If a host has an IPv4 address, use an A record, not a AAAA, with ``::ffff:192.168.42.1`` as the address. Address-to-Name Lookups Using Nibble Format ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and ``ip6.arpa.`` is appended to the resulting name. For example, the following commands produce a reverse name lookup for a host with address ``2001:db8::1``: :: $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR ( host.example.com. )