|
|
bind_manual_setup(7)
Contents
|
bind_manual_setup - Describes how to manually set up the
Berkeley Internet Name Domain (BIND) service on your network.
Setting up a BIND domain includes configuring the following:
Master server Slave servers Stub servers Caching-only
servers Forward-only servers Clients
Note
Documentation for BIND prior to Version 8.1.1 referred to
the master server as a primary server and the slave server
as a secondary server. Though the terminology has changed,
master and slave servers are still referred to as having
primary and secondary authority, respectively, for zones.
SETTING UP THE MASTER SERVER [Toc] [Back] There can be only one master server in a BIND domain. Use
the following procedure to set up a BIND master server:
Create the /etc/resolv.conf file.
The /etc/resolv.conf file contains the domain name
and the Internet Protocol (IP) address for the
local host. Format the /etc/resolv.conf file as
follows, substituting your domain name for
cities.dec.com:
# @(#)resolv.conf # # Description: The resolv.conf
file lists name-value pairs that #
provide information to the BIND resolver. # # Syntax:
domain <domainname> #
and # nameserver <address> # # Caution:
White space entered after the domain name is
not # ignored; it is interpreted as part
of the domain name. # # domain <domainname>
local domain name # nameserver <address>
Internet address of a name server #
that the resolver should query # domain
cities.dec.com nameserver 127.0.0.1 Create the
database files by using the following procedure:
Copy into or create in the /etc/namedb/src directory
a file called hosts. The hosts file should
have the following format:
127.0.0.1 localhost 120.105.1.20
host1.cities.dec.com h1 #BIND server
120.105.1.142 host2 h2 120.105.1.1 host3 h3
#BIND server 120.105.1.13 host4 120.105.2.23 host5
h5
The first field is the IP address. The second
field is the host name. The third field is for
aliases for the host name (optional). The fourth
field is comments, delineated by the number sign
(#) (optional). Run the make hosts command from
within the /etc/namedb directory by entering the
following commands:
# cd /etc/namedb # make hosts
The make hosts command creates the
/etc/namedb/hosts.db and /etc/namedb/hosts.rev
files.
Note
Any host names with a domain name different from
that for which you are creating the database are
ignored. For example, if you create the hosts
database for the domain cities.dec.com and you have
a host name fizzle.nac.dec.com in the file, fizzle.nac.dec.com
is ignored. Also, the first host
name that the make hosts command encounters that
has either no domain name or the default domain
name becomes the primary name of the machine. All
other names are considered aliases, or CNAMES. For
example, for the following entry, the make hosts
command considers host2 the primary name of the
system and h2 an alias:
120.105.1.20 host2 h2
Create the /etc/namedb/named.ca file.
The /etc/namedb/named.ca file must read as follows:
; ; This file holds the information on root
name servers needed to ; initialize cache of
Internet domain name servers ; (e.g. reference
this file in the "cache . <file>" ;
configuration file of BIND domain name servers). ;
; This file is made available by InterNIC
registration ; services under anonymous FTP
as ; file
/domain/named.root ; on server
FTP.RS.INTERNIC.NET ; -OR- under Gopher at
RS.INTERNIC.NET ; under menu
InterNIC Registration Services (NSI) ;
submenu InterNIC Registration Archives ;
file named.root ; ; last
update: Aug 22, 1997 ; related version of
root zone: 1997082200 ; ; ; formerly NS.INTERNIC.NET
; A.ROOT-SERVERS.NET. 3600000 A
198.41.0.4 ; ; formerly NS1.ISI.EDU ; B.ROOTSERVERS.NET.
3600000 A 128.9.0.107 ;
; formerly C.PSI.NET ; C.ROOT-SERVERS.NET.
3600000 A 192.33.4.12 ; ; formerly
TERP.UMD.EDU ; D.ROOT-SERVERS.NET. 3600000
A 128.8.10.90 ; ; formerly NS.NASA.GOV ;
E.ROOT-SERVERS.NET. 3600000 A
192.203.230.10 ; ; formerly NS.ISC.ORG ; F.ROOTSERVERS.NET.
3600000 A 192.5.5.241 ;
; formerly NS.NIC.DDN.MIL ; G.ROOT-SERVERS.NET.
3600000 A 192.112.36.4 ; ; formerly
AOS.ARL.ARMY.MIL ; H.ROOT-SERVERS.NET. 3600000
A 128.63.2.53 ; ; formerly NIC.NORDU.NET ;
I.ROOT-SERVERS.NET. 3600000 A
192.36.148.17 ; ; temporarily housed at NSI (InterNIC)
; J.ROOT-SERVERS.NET. 3600000 A
198.41.0.10 ; ; housed in LINX, operated by RIPE
NCC ; K.ROOT-SERVERS.NET. 3600000 A
193.0.14.129 ; ; temporarily housed at ISI (IANA) ;
L.ROOT-SERVERS.NET. 3600000 A
198.32.64.12 ; ; housed in Japan, operated by WIDE
; M.ROOT-SERVERS.NET. 3600000 A
202.12.27.33 ; End of File Create the
/etc/namedb/named.local file.
The /etc/namedb/named.local file must contain the
following information and be formatted as shown in
the following example. Replace
host1.cities.dec.com with your host and domain
name.
; ; BIND data file for local loopback interface. ;
@ IN SOA host1.cities.dec.com. postmaster.host1.cities.dec.com.
(
1 ; Serial
3600 ; Refresh
300 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS host1.cities.dec.com. 1 IN
PTR localhost. localhost. IN A
127.0.0.1 Create the configuration (boot) file.
The following is a sample named.conf file for a
master server. Replace cities.dec.com with your
domain name and 120.105 with your network number:
// named.conf
options {
directory "/etc/named";
/*
* If there is a firewall between you and
nameservers
* you want to talk to, you might need to
uncomment the
* query-source directive below. Previous
versions of BIND
* always asked questions using port 53,
but BIND 8.1 uses
* an unprivileged port by default.
*/
// query-source address * port 53; };
// zone "cities.dec.com" {
type master;
file "hosts.db"; };
zone "120.105.in-addr.arpa" {
type master;
file "hosts.rev"; };
// // zone "0.0.127.in-addr.arpa" {
type master;
file "named.local"; };
// // load the cache data last zone "named.ca" {
type hint;
file ; };
The database files are stored in the /etc/namedb
directory by default. You can store database files
in any directory; however, if you place them in a
directory other than the default directory, you
should change the /etc/namedb in the configuration
(boot) file to the name of the directory you have
chosen. If necessary for IPv6 or Microsoft Windows
network environments, enable dynamic updates by
adding the allow-update substatement to the master
zone statements (forward and reverse lookup), as
follows:
zone "cities.dec.com" {
type master;
file "hosts.db";
allow-update { any; }; };
zone "120.105.in-addr.arpa" {
type master;
file "hosts.rev";
allow-update { any; }; }; If necessary,
configure authentication of dynamic updates and
zone transfers. See CONFIGURING AUTHENTICATION for
more information.
Note that authentication is not supported on IPv6
name servers. Edit the /etc/rc.config.common file
by using the /usr/sbin/rcmgr utility. The syntax
for the /usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following commands to edit the
/etc/rc.config.common file and add the required
information:
# /usr/sbin/rcmgr set BIND_CONF YES #
/usr/sbin/rcmgr set BIND_SERVERTYPE MASTER #
/usr/sbin/rcmgr set BIND_SERVERARGS "-b
/etc/namedb/named.conf" Edit the /etc/hosts file
with the fully qualified BIND name of the host.
To run BIND, your system's host name must include
the BIND domain name. The fully qualified BIND
host name consists of the local host name plus the
BIND domain name, separated by dots. For example,
the fully qualified BIND host name for a system
whose local host name is host1 and whose BIND
domain name is cities.dec.com is
host1.cities.dec.com.
See the hosts(4) reference page for more information.
Edit the /etc/rc.config file by using the
/usr/sbin/rcmgr utility. The syntax for the
/usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following command to edit the
/etc/rc.config file and add the required information:
# /usr/sbin/rcmgr set HOSTNAME host1.cities.dec.com
Replace host1.cities.dec.com with your system's
fully qualified BIND name. Set the new host name
with the /sbin/hostname command.
For example, to set the host name to
host1.cities.dec.com for a system that was previously
known locally as host1, enter the following
command:
# /sbin/hostname host1.cities.dec.com Start the
named daemon by issuing the following command:
# /sbin/init.d/named start
SETTING UP A SLAVE SERVER [Toc] [Back] Use the following procedure to set up a BIND slave server:
Create the /etc/resolv.conf file. See step 1 in the Setting
Up the Master Server section. Create the
/etc/namedb/named.ca file. See step 3 in the Setting Up
the Master Server section. Create the
/etc/namedb/named.local file. See step 4 in the Setting
Up the Master Server section. Create the configuration
(boot) file.
A configuration file for a slave server should have
the format shown in the following example. Replace
cities.dec.com with your domain name, 120.105 with
your network number, and 120.105.4.5 with the IP
address of your domain's BIND master server:
// named.conf
options {
directory "/etc/named";
/*
* If there is a firewall between you and
nameservers
* you want to talk to, you might need to
uncomment the
* query-source directive below. Previous
versions of BIND
* always asked questions using port 53,
but BIND 8.1 uses
* an unprivileged port by default.
*/
// query-source address * port 53; };
// zone "cities.dec.com" {
type slave;
file "hosts.db";
masters {
120.105.4.5;
}; };
zone "120.105.in-addr.arpa" {
type slave;
file "hosts.rev";
masters {
120.105.4.5;
}; };
// // zone "0.0.127.in-addr.arpa" {
type master;
file "named.local"; };
// // load the cache data last zone "named.ca" {
type hint;
file ; };
The following entry indicates that this host serves
itself its own local host information:
primary 0.0.127.in-addr.arpa named.local
The default directory in which the database files
are stored is /etc/namedb. You can store them in
any directory; however, if you place them in a
directory other than the default directory you
should change the /etc/namedb at the top of the
configuration (boot) file to the name of the directory
you have chosen. If necessary, configure
authentication of zone transfers. See CONFIGURING
AUTHENTICATION for more information. Edit the
/etc/rc.config.common file by using the
/usr/sbin/rcmgr utility. The syntax for the
/usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following commands to edit the
/etc/rc.config.common file and add the required
information:
# /usr/sbin/rcmgr set BIND_CONF YES #
/usr/sbin/rcmgr set BIND_SERVERTYPE SLAVE #
/usr/sbin/rcmgr set BIND_SERVERARGS "-b
/etc/namedb/named.conf" Edit the /etc/hosts file to
add the fully qualified BIND name of the host.
In order to run BIND, your system's host name must
include the BIND domain name. The fully qualified
BIND host name consists of the local host name plus
the BIND domain name, separated by dots. For example,
the fully qualified BIND host name for a system
whose local host name is host2 and whose BIND
domain name is cities.dec.com is
host2.cities.dec.com.
See the hosts(4) reference page for more information.
Edit the /etc/rc.config file by using the
/usr/sbin/rcmgr utility. The syntax for the
/usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following command to edit the
/etc/rc.config file and add the required information:
# /usr/sbin/rcmgr set HOSTNAME host2.cities.dec.com
Replace host2.cities.dec.com with your system's
fully qualified BIND name. Set the new host name
with the /sbin/hostname command.
For example, to set the host name to
host2.cities.dec.com for a system that was previously
known locally as host2, enter the following
command:
# /sbin/hostname host2.cities.dec.com Start the
named daemon by issuing the following command:
# /sbin/init.d/named start
SETTING UP A STUB SERVER [Toc] [Back] Use the following procedure to set up a BIND stub server:
Create the /etc/resolv.conf file. See step 1 in the Setting
Up the Master Server section. Create the
/etc/namedb/named.ca file. See step 3 in the Setting Up
the Master Server section. Create the
/etc/namedb/named.local file. See step 4 in the Setting
Up the Master Server section. Create the configuration
(boot) file.
A configuration file for a stub server should have
the format shown in the following example. Replace
cities.dec.com with your domain name, 120.105 with
your network number, and 120.105.4.5 with the IP
address of your domain's BIND master server:
// named.conf
options {
directory "/etc/named";
/*
* If there is a firewall between you and
nameservers
* you want to talk to, you might need to
uncomment the
* query-source directive below. Previous
versions of BIND
* always asked questions using port 53,
but BIND 8.1 uses
* an unprivileged port by default.
*/
// query-source address * port 53; };
// zone "cities.dec.com" {
type stub;
file "hosts.db";
masters {
120.105.4.5;
}; };
zone "120.105.in-addr.arpa" {
type stub;
file "hosts.rev";
masters {
120.105.4.5;
}; };
// // zone "0.0.127.in-addr.arpa" {
type master;
file "named.local"; };
// // load the cache data last zone "named.ca" {
type hint;
file ; };
The following entry indicates that this host serves
itself its own local host information:
primary 0.0.127.in-addr.arpa named.local
The default directory in which the database files
are stored is /etc/namedb. You can store them in
any directory; however, if you place them in a
directory other than the default directory you
should change the /etc/namedb at the top of the
configuration (boot) file to the name of the directory
you have chosen. Edit the /etc/rc.config.common
file by using the /usr/sbin/rcmgr utility. The
syntax for the /usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following commands to edit the
/etc/rc.config.common file and add the required
information: # /usr/sbin/rcmgr set BIND_CONF YES #
/usr/sbin/rcmgr set BIND_SERVERTYPE STUB #
/usr/sbin/rcmgr set BIND_SERVERARGS "-b
/etc/namedb/named.conf" Edit the /etc/hosts file to
add the fully qualified BIND name of the host.
In order to run BIND, your system's host name must
include the BIND domain name. The fully qualified
BIND host name consists of the local host name plus
the BIND domain name, separated by dots. For example,
the fully qualified BIND host name for a system
whose local host name is host2 and whose BIND
domain name is cities.dec.com is
host2.cities.dec.com.
See the hosts(4) reference page for more information.
Edit the /etc/rc.config file by using the
/usr/sbin/rcmgr utility. The syntax for the
/usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following command to edit the
/etc/rc.config file and add the required information:
# /usr/sbin/rcmgr set HOSTNAME
host2.cities.dec.com
Replace host2.cities.dec.com with your system's
fully qualified BIND name. Set the new host name
with the /sbin/hostname command.
For example, to set the host name to
host2.cities.dec.com for a system that was previously
known locally as host2, enter the following
command: # /sbin/hostname host2.cities.dec.com
Start the named daemon by issuing the following
command: # /sbin/init.d/named start
SETTING UP A CACHING-ONLY SERVER [Toc] [Back] Use the following procedure to set up a BIND caching-only
server: Create the /etc/resolv.conf file. See step 1 in
the Setting Up the Master Server section. Create the
/etc/namedb/named.ca file. See step 3 in the Setting Up
the Master Server section. Create the
/etc/namedb/named.local file. See step 4 in the Setting
Up the Master Server section. Create the configuration
(boot) file.
The following is a sample named.conf file for a
caching-only server. Replace information that is
appropriate for a caching-only server in your
domain:
// named.conf
options {
directory "/etc/named";
/*
* If there is a firewall between you and
nameservers
* you want to talk to, you might need to
uncomment the
* query-source directive below. Previous
versions of BIND
* always asked questions using port 53,
but BIND 8.1 uses
* an unprivileged port by default.
*/
// query-source address * port 53; };
// zone "0.0.127.in-addr.arpa" {
type master;
file "named.local"; };
// // load the cache data last zone "named.ca" {
type hint;
file ; };
The default directory in which the database files
are stored is /etc/namedb. You can store them in
any directory; however, if you place them in a
directory other than the default directory you
should change the /etc/namedb entry at the top of
the configuration (boot) file to the name of the
directory you have chosen. Edit the /etc/rc.config.common
file by using the /usr/sbin/rcmgr utility.
The syntax for the /usr/sbin/rcmgr command is
as follows: /usr/sbin/rcmgr set variable value
Enter the following commands to edit the
/etc/rc.config.common file and add the required
information:
# /usr/sbin/rcmgr set BIND_CONF YES #
/usr/sbin/rcmgr set BIND_SERVERTYPE CACHING #
/usr/sbin/rcmgr set BIND_SERVERARGS "-b
/etc/namedb/named.conf" Edit the /etc/hosts file
with the fully qualified BIND name of the host.
In order to run BIND, your system's host name must
include the BIND domain name. The fully qualified
BIND host name consists of the local host name plus
the BIND domain name, separated by dots. For example,
the fully qualified BIND host name for a system
whose local host name is host3 and whose BIND
domain name is cities.dec.com is
host3.cities.dec.com.
See the hosts(4) reference page for more information.
Edit the /etc/rc.config file by using the
/usr/sbin/rcmgr utility. The syntax for the
/usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following command to edit the
/etc/rc.config file and add the required information:
# /usr/sbin/rcmgr set HOSTNAME host3.cities.dec.com
Replace host3.cities.dec.com with your system's
fully qualified BIND name. Set the new host name
with the /sbin/hostname command.
For example, to set the host name to
host3.cities.dec.com for a system that was previously
known locally as host3, enter the following
command:
# /sbin/hostname host3.cities.dec.com Start the
named daemon by issuing the following command:
# /sbin/init.d/named start
SETTING UP A FORWARD-ONLY SERVER [Toc] [Back] Use the following procedure to set up a BIND forward-only
server: Create the /etc/resolv.conf file. See step 1 in
the Setting Up the Master Server section. Create the
/etc/namedb/named.local file. See step 4 in the Setting
Up the Master Server section. Create the configuration
(boot) file. The following is a sample named.conf file
for a forward-only server. Replace 120.105.4.5 with the
IP address of the BIND master server in your domain:
// named.conf
options {
directory "/etc/named";
forward only;
forwarders {
120.105.4.5;
};
/*
* If there is a firewall between you and
nameservers
* you want to talk to, you might need to
uncomment the
* query-source directive below. Previous
versions of BIND
* always asked questions using port 53,
but BIND 8.1 uses
* an unprivileged port by default.
*/
// query-source address * port 53; };
// // zone "0.0.127.in-addr.arpa" {
type master;
file "named.local"; };
The default directory in which the database files
are stored is /etc/namedb. You can store them in
any directory; however, if you place them in a
directory other than the default directory you
should change the /etc/namedb entry at the top of
the configuration (boot) file to the name of the
directory you have chosen. Edit the /etc/rc.config.common
file by using the /usr/sbin/rcmgr utility.
The syntax for the /usr/sbin/rcmgr command is
as follows: /usr/sbin/rcmgr set variable value
Enter the following commands to edit the
/etc/rc.config.common file and add the required
information:
# /usr/sbin/rcmgr set BIND_CONF YES #
/usr/sbin/rcmgr set BIND_SERVERTYPE FORWARDER #
/usr/sbin/rcmgr set BIND_SERVERARGS "-b
/etc/namedb/named.conf" Edit the /etc/hosts file
and add the fully qualified BIND name of the host.
To run BIND, your system's host name must include
the BIND domain name. The fully qualified BIND
host name consists of the local host name plus the
BIND domain name, separated by dots. For example,
the fully qualified BIND host name for a system
whose local host name is host4 and whose BIND
domain name is cities.dec.com is
host4.cities.dec.com.
See the hosts(4) reference page for more information.
Edit the /etc/rc.config file by using the
/usr/sbin/rcmgr utility. The syntax for the
/usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following command to edit the
/etc/rc.config file and add the required information:
# /usr/sbin/rcmgr set HOSTNAME host4.cities.dec.com
Replace host4.cities.dec.com with your system's
fully qualified BIND name. Set the new host name
with the /sbin/hostname command.
For example, to set the host name to
host4.cities.dec.com for a system that was previously
known locally as host4, enter the following
command:
# /sbin/hostname host4.cities.dec.com Start the
named daemon by issuing the following command:
# /sbin/init.d/named start
Use the following procedure to set up a BIND client: Create
the /etc/resolv.conf file.
The /etc/resolv.conf file for a client contains the
domain name and IP addresses of up to three servers
for the domain. These name servers are the systems
that the local host can query to resolve host
information. Format the /etc/resolv.conf file as
follows, replacing your domain name for
cities.dec.com and the IP addresses of your name
servers for 120.105.4.5, 120.105.4.13, and
120.105.5.160:
; ; BIND data file ; domain
cities.dec.com nameserver 120.105.4.5 nameserver
120.105.4.13 nameserver
120.105.5.160 Edit the /etc/rc.config.common file
by using the /usr/sbin/rcmgr utility. The syntax
for the /usr/sbin/rcmgr command is as follows:
/usr/sbin/rcmgr set variable value
Enter the following commands to edit the
/etc/rc.config.common file and add the required
information:
# /usr/sbin/rcmgr set BIND_CONF YES #
/usr/sbin/rcmgr set BIND_SERVERTYPE CLIENT Edit the
/etc/rc.config file by using the /usr/sbin/rcmgr
utility. The syntax for the /usr/sbin/rcmgr command
is as follows: /usr/sbin/rcmgr set variable
value
Enter the following command to edit the
/etc/rc.config file and add the required information:
# /usr/sbin/rcmgr set HOSTNAME host4.cities.dec.com
Replace host4.cities.dec.com with your system's
fully qualified BIND name. Set the new host name
with the /sbin/hostname command.
For example, to set the host name to
host4.cities.dec.com for a system that was previously
known locally as host4, enter the following
command:
# /sbin/hostname host4.cities.dec.com
CONFIGURING AUTHENTICATION [Toc] [Back] The following sections describe how to configure authentication
on DNS servers for the following purposes: Secure
dynamic updates -- Allow the master server to authenticate
database updates it receives from clients Secure zone
transfers -- Allow the master server to authenticate zone
transfer requests it receives from slave servers, and subsequently,
allow the slave servers to authenticate the
zone transfers they receive from the master server.
Authentication is useful only when the private key remains
a secret between the servers; therefore, it is prudent to
change this key frequently and save the key file as specified
in the following sections to prevent the key from
being compromised.
Configuring Secure Dynamic Updates [Toc] [Back]
To configure a master server to authenticate dynamic
updates it receives from new DNS clients (Microsoft Windows
systems), do the following:
Note
If you plan to use the nd6hostd daemon to update IPv6
zones, do not enable authentication for those zones. The
nd6hostd daemon does not support authentication.
Generate a private key using the dnskeygen command, as
follows:
# dnskeygen -H size -h -c -n key-name
Valid key sizes are 512, 576, 640, 704, 768, 832,
896, 960, and 1024. Larger keys are more cumbersome,
but they are more secure.
You can supply any name for a key, but it is best
to give the keys canonical names so they are easy
to distinguish. For example, if hosts from the
xyz.corp.com zone send dynamic updates to your master
server, marlin.xyz.corp.com, you might want to
name your key xyznet-marlin_update.
The dnskeygen command produces two files: K<keyname><proto-id><key-id>.key
K<key-name><proto-id><key-id>.private
Hereafter, these files are referred to as the and
files.
For more information about generating keys, see
dnskeygen(1). Create a file, possibly named.keys,
to contain the key configuration statement for the
update. This file should be read/writeable only by
superuser to prevent the private key from being
compromised. For example:
# cd /etc/namedb # touch key-config-file # chmod
600 key-config-file Incorporate the key information
from the file into the key-config-file by adding
the following key statement:
key key-name {
algorithm hmac-md5;
secret "generated-key"; };
In the key statement, replace key-name with the
name of the key and generated-key with the entire
private key as it appears in the file. It is best
to enter the key by opening the file in another
window, copying the necessary key text, and pasting
the text into the text editor window. There should
be no line feeds or spaces between the quotes that
contain the key; if even one character is entered
incorrectly, authentication fails. Add the following
include statement to the top of the
/etc/namedb/named.conf file:
include "/etc/namedb/key-config-file";
Replace key-config-file with the name of the key
configuration file you created in steps 2 and 3.
When the named daemon starts and reads the DNS data
file, it calls the key-config-file and parses its
contents. Enable secure dynamic updates for the
master zone by adding the allow-update substatement
to the master zone statements (for forward and
reverse lookups) in the named.conf file :
zone "cities.dec.com" {
type master;
file "hosts.db";
allow-update {
key key-name;
}; };
zone "120.105.in-addr.arpa" {
type master;
file "hosts.rev";
allow-update {
key key-name;
}; };
Replace key-name with the name of the file you created
in steps 2 and 3.
Specifying a key in this statement ensures that
updates are successful only if they are signed with
the private key. Continue setting up your master
server. Otherwise, if you are enabling authentication
on a running server, restart the named daemon
by issuing the following command:
# /sbin/init.d/named restart
Once you have configured the master server to support
secure dynamic DNS updates from new hosts, you can
distribute the private key as necessary to administrators
who need to add these hosts to the network. It is best to
physically distribute the key on magnetic or optical media
as opposed to sending it over the network where it can be
compromised.
You can format a floppy for this purpose. See mtools(1)
for information about formatting and reading Microsoft
Windows-compatible floppy disks on a Tru64 UNIX system. If
the described tools are not available, you need to install
the OSFDOSTOOLS subset.
Note that when clients send updates to the master server,
the named daemon does not immediately update the master
database files. It creates temporary database.ixfr and
database.log files where it logs the changes until they
can be incorporated into the database. However, the daemon
does become aware of the updates almost immediately in
memory. You can verify them with the nslookup command. See
nslookup(8).
Configuring Secure Zone Transfers [Toc] [Back]
To configure a master server and slave servers to use
authentication for zone transfers, do the following:
On the master server, perform steps 1-4 as specified in
Configuring Secure Dynamic Updates.
When creating a key name, choose a name that
describes the zone transfer. For example, if the
master server, marlin.xyz.corp.com, is sending
updates to the slave server, minnow.xyz.corp.com,
for the xyz.corp.com zone, you might name the key
xyznet-marlin-minnow_transfer. On the master
server, add the allow-transfer substatement to the
master zone statements (for forward and reverse
lookups) in the /etc/namedb/named.conf file.
include "/etc/namedb/key-file";
.
.
. zone "cities.dec.com" {
type master;
file "hosts.db";
allow-transfer {
key key-name; };
zone "120.105.in-addr.arpa" {
type master;
file "hosts.rev";
allow-transfer {
key key-name; };
Replace key-name with the name of the key as you
specified it in the key configuration file you created
in steps 2 and 3 of Configuring Secure Dynamic
Updates.
Adding this server statement ensures that the master
servers transfers the zone only if the request
is signed with the private key. It also ensures
that the master server signs the zone transfer with
the key before it sends the data to the slave
server. Transfer the key configuration file (keyconfig-file
or named.keys) over from the master
server to the slave server. It is best to physically
transfer this file on magnetic or optical
media as opposed to sending it over the network
where it can be compromised.
You can format a floppy for this purpose. See
mtools(1) for information about formatting and
reading Microsoft Windows-compatible floppy disks
on a Tru64 UNIX system. If the described tools are
not available, you need to install the OSFDOSTOOLS
subset.
On the slave server, ensure that the permissions
are set for read/writable only by superuser: #
chmod 600 key-config-file On the slave server, add
an include statement to the named.conf file to call
the key-config-file. Also, insert the server statement
after the include statement and before any
zone statements: include "/etc/namedb/key-configfile";
.
.
. server 120.105.4.5 {
keys {key-name}; };
Replace key-config-file with the name of the key
configuration file you copied over from the master
server. Replace 120.105.4.5 with the IP address of
your master server. Finally, replace key-name with
the name of the key you specifed in the key-configfile.
Adding the server statement ensures that the slave
server signs requests for zone transfers from the
master server with the private key. It also ensures
that the slave server authenticates signed zone
transfers from the master server before it incorporates
them into its data files. Continue setting
up your master or slave servers. Otherwise, if you
are enabling authentication on running servers,
restart the named daemon on each server by issuing
the following command: # /sbin/init.d/named restart
POST-SETUP PROCEDURES [Toc] [Back] After you configure BIND on your system, you must restart
the sendmail process and edit the /etc/svc.conf file.
Restarting the sendmail Process [Toc] [Back]
To kill and restart the sendmail process, enter the following
command:
# /sbin/init.d/sendmail restart
Editing the svc.conf File [Toc] [Back]
The /etc/svc.conf file is the database service selection
configuration file that your system references to determine
what distributed database lookup services are running
on your system, which databases are being served by them,
and in what order to query them. After configuring BIND,
you must edit the /etc/svc.conf file to tell your system
that you want BIND servers queried for host name and
address information. For information on editing the
/etc/svc.conf file, see the svc.conf(4) and svcsetup(8)
reference pages and the Network Administration: Services
manual.
Commands: bindconfig(8), dnskeygen(1), named(8),
nslookup(8), svcsetup(8)
Files: named.conf(4), resolv.conf(4), svc.conf(4)
Networking: bind_intro(7)
Network Administration: Services
bind_manual_setup(7)
[ Back ] |
