book

Pro DNS and BIND 10

Name: Pro DNS and BIND 10
Author: Ron Aitchison
ISBN: 9781430230489

by Ron Aitchison

February 2011

Intermediate to advanced

692 pages

19h 34m

English

Apress

Read now

Unlock full access

Copyright
About the Author
About the Technical Reviewer
Acknowledgments
Introduction
Introduction to the Second EditionWho This Book Is ForHow This Book Is StructuredChapter 1, "An Introduction to DNS"Chapter 2, "Zone Files and Resource Records"Chapter 3, "DNS Operations"Chapter 4, "DNS Types"Chapter 5, "DNS and IPv6"Chapter 6, "Installing BIND"Chapter 7, "BIND Type Samples"Chapter 8, "DNS Techniques"Chapter 9, "DNS Diagnostics and Tools"Chapter 10, "DNS Secure Configurations"Chapter 11, "DNSSEC"Chapter 12, "BIND Configuration Reference"Chapter 13, "Zone File Reference"Chapter 14, "BIND APIs and Resolver Libraries"Chapter 15, "DNS Messages and Records"Appendix A, "Domain Name Registration"Appendix B, "DNS RFCs"Additional MaterialConventionsContacting the Author
I. Principles and Overview
1. An Introduction to DNS
1.1. A Brief History of Name Servers1.2. Name Server Basics1.3. The Internet Domain Name System1.3.1. Domains and Delegation1.3.2. Domain Authority1.3.2.1. So What Is www.example.com?1.4. DNS Implementation and Structure1.5. Root DNS Operations1.5.1. Top-Level Domains1.5.1.1. Generic Top-Level Domains1.6. DNS in Action1.6.1. Zones and Zone Files1.6.2. Master and Slave DNS Servers1.7. DNS Software1.8. Summary
2. Zone Files and Resource Records
2.1. Zone File Format2.2. Zone File Contents2.3. An Example Zone File2.4. The $TTL Directive2.5. The $ORIGIN Directive2.6. The SOA Resource Record2.7. The NS Resource Record2.8. The MX Resource Record2.9. The A Resource Record2.10. CNAME Resource Record2.10.1. When CNAME Records Must Be Used2.11. Additional Resource Records2.11.1. PTR Resource Records2.11.2. TXT Resource Records2.11.3. AAAA Resource Records2.11.4. NSEC, RRSIG, DS, DNSKEY, and KEY Resource Records2.11.5. SRV Resource Records2.12. Standard Configuration File Scenarios2.13. Summary
3. DNS Operations
3.1. The DNS Protocol3.2. DNS Queries3.2.1. Recursive Queries3.2.1.1. Which Name Server Is Used3.2.2. Iterative (Nonrecursive) Queries3.2.3. Inverse Queries3.3. DNS Reverse Mapping3.3.1. IN-ADDR.ARPA Reverse-Mapping Domain3.3.1.1. The PTR Resource Record3.3.1.2. Reverse-Map Queries3.4. Zone Maintenance3.4.1. Full Zone Transfer (AXFR)3.4.2. Incremental Zone Transfer (IXFR)3.4.3. Notify (NOTIFY)3.4.4. Dynamic Update3.4.5. Alternative Dynamic DNS Approaches3.4.6. Security Overview3.4.6.1. Security Threats3.4.6.2. Security Classification3.5. Summary
4. DNS Types
4.1. Master (Primary) Name Servers4.2. Slave (Secondary) Name Servers4.2.1. Slave (Secondary) DNS Behavior4.2.1.1. Slave vs. Cache4.2.1.2. Change Propagation Using NOTIFY4.3. Caching Name Servers4.3.1. Caching Implications4.4. Forwarding (Proxy) Name Servers4.5. Stealth (DMZ or Split) Name Server4.5.1. Stealth Servers and the View Clause4.5.2. Stealth Server Configuration4.6. Authoritative-only Name Server4.7. Summary

5. DNS and IPv6
5.1. IPv65.1.1. IPv6 Address Notation5.1.2. Prefix or Slash Notation5.1.3. IPv6 Address Types5.1.4. Global Unicast IPv6 Address Allocation5.1.5. IPv6 Global Unicast Address Format5.2. Status of IPv6 DNS Support5.2.1. The AAAA vs. A6 Resource Record5.2.2. Mixed IPv6 and IPv4 Network Support5.3. IPv6 Resource Records5.4. The AAAA Resource Record5.5. Reverse IPv6 Mapping5.5.1. IPv6 Reverse Map Issues5.6. The IPv6 PTR Resource Record5.7. Summary
II. Get Something Running
6. Installing BIND
6.1. Ubuntu Server 10.04 Installation6.1.1.6.1.1.1. Post Ubuntu Server Installation6.1.1.2. Version Upgrade6.1.1.3. Ubuntu and Debian6.1.1.4. Ubuntu Summary6.2. FreeBSD 8.1 Installation6.2.1.6.2.1.1. Post Install Tasks6.2.1.2. Installing BIND 96.2.1.3. BIND 9 Nonbase Install6.2.1.4. BIND 9 Base Install6.2.2. Freebsd Considerations6.3. Building BIND from Source6.3.1.6.3.1.1. BIND 9 Configure Options6.4. Windows Installation6.5. Summary
7. BIND Type Samples
7.1. Before You Start7.1.1. Configuration Layout7.1.2. Configuration Conventions7.1.3. Zone File Naming Convention7.1.4. Required Zone Files7.1.4.1. root.servers7.1.4.2. master.localhost7.1.4.3. IPv6 Localhost7.1.4.4. Reverse-Map Zone Files7.1.4.4.1. 0.0.127.IN-ADDR.ARPA7.1.4.5. IPv6 Localhost Reverse Map7.1.5. BIND named.conf File Format and Style7.1.6. Standard Zone File7.1.7. Common Configuration Elements7.2. Master DNS Server7.2.1. Master Name Server Configuration7.3. Slave DNS Server7.3.1. Slave Name Server Configuration7.4. Resolver (Caching-only) DNS Server7.4.1. Caching-only Name Server Configuration7.5. Forwarding (a.k.a. Proxy, Client, Remote) DNS Server7.5.1. Forwarding Name Server Configuration7.6. Stealth (a.k.a. Split or DMZ) DNS Server7.6.1. Stealth Configuration7.6.1.1. Stealth (Private) Configuration Files7.6.1.2. Public Configuration Files7.7. Authoritative-only DNS Server7.7.1. Authoritative-only Name Server Configuration7.8. View-based Authoritative-only DNS Server7.8.1. View-based Authoritative-only Name Server Configuration7.8.2. Security and the view Section7.9. Summary
8. DNS Techniques
8.1. Delegate a Subdomain (Subzone)8.1.1. Domain Name Server Configuration8.1.2. Subdomain Name Server Configuration8.2. Virtual Subdomains8.2.1. Domain Name Server Configuration8.3. Configure Mail Servers Fail-Over8.4. Delegate Reverse Subnet Maps8.4.1. Assignee Zone File8.4.2. Assignor (End User) Zone File8.5. DNS Load Balancing8.5.1. Balancing Mail8.5.2. Balancing Other Services8.5.3. Balancing Services8.5.4. Controlling the RRset Order8.5.5. Effectiveness of DNS Load Balancing8.6. Define an SPF Record8.6.1. SPF RR Format8.6.1.1. v=spf1 Field8.6.1.2. pre Field8.6.1.3. type Field8.6.1.4. mod Field8.6.1.4.1. redirect=domain Field8.6.1.4.2. exp=text-rr Field8.6.2. SPF type Values8.6.2.1. Basic Mechanisms8.6.2.2. Sender Mechanisms8.6.2.2.1. Type ip4 Format8.6.2.2.2. Type ip6 Format8.6.2.2.3. Type a Format8.6.2.2.4. Type mx Format8.6.2.2.5. Type ptr Format8.6.2.2.6. Type exists Format8.6.2.3. Macro Expansion8.6.3. SPF Record Examples8.6.3.1. Single Domain Mail Server8.6.3.2. SMTP Server Offsite8.6.3.3. Virtual Mail Host8.6.3.4. No Mail Domain8.6.3.5. Using Macro Expansion8.7. Define a DKIM Record8.7.1. DKIM DNS TXT RR Format8.7.1.1. DNS RR DKIM-Specific-Text8.7.2. ADSP TXT RR Format8.7.2.1. ADSP TXT RR Format - Text8.7.3. Examples8.7.3.1. All Mail Signed - One MTA, No Subdomains8.7.3.2. Loose DKIM Signing8.7.3.3. Multiple Subdomain DKIM Signing8.8. Supporting http://example.com8.8.1. Apache Configuration8.9. Out-of-Sequence Serial Numbers8.10. Use of Wildcards in Zone Files8.11. Zone File Construction8.12. Split Horizon DNS8.13. DNSBL (DNS Blacklists)8.13.1. Example blacklist zone file8.13.2. Blacklist Return Addresses8.13.3. Additional Usage8.14. DNS TTLs and Time Values8.15. Summary
9. DNS Diagnostics and Tools
9.1. DNS Utilities9.2. The nslookup Utility9.2.1. nslookup Command Format9.2.2. Quick Examples9.2.2.1. Interactive Format9.2.3. Options9.2.4. Examples: Command Line9.2.5. Example: Interactive Mode9.3. BIND dig Utility9.3.1. Quick Examples9.3.2. dig Syntax9.3.3. dig Options9.3.4. dig Examples9.3.4.1. dig Host Query9.3.4.2. dig Domain Query9.3.4.3. dig Multiple Queries9.3.5. dig Output9.3.6. dig Response Values9.3.6.1. DNS Flags9.3.6.2. DNS Status9.4. BIND named-compilezone Utility9.5. BIND named-checkconf Utility9.5.1. named-checkconf Syntax9.5.2. named-checkconf Options9.6. BIND named-checkzone/named-compilezone Utility9.6.1. named-checkzone/named-compilezone Syntax9.6.2. named-checkzone/named-compilezone Arguments9.6.3. named-checkzone/named-compilezone Examples9.7. rndc9.7.1. rndc Syntax9.7.2. rndc Options9.7.3. rndc.conf Clauses and Statements9.7.3.1. The options Clause9.7.3.2. The server Clause9.7.3.3. The key Clause9.7.4. rndc Configuration Examples9.7.5. rndc Commands9.8. rndc-confgen Utility9.8.1. rndc-confgen Syntax9.8.2. rndc-confgen Options9.9. BIND nsupdate Utility9.9.1. nsupdate Syntax9.9.2. nsupdate Options9.9.3. nsupdate Command Format9.9.4. nsupdate Example9.9.5. nsupdate and DNSSEC Signed Zones9.10. dnssec-keygen Utility9.10.1. BIND HSM Support (cryptoki)9.10.2. dnssec-keygen Syntax9.10.3. dnssec-keygen Arguments9.10.3.1. Timing Metadata (TMD)9.10.4. dnssec-keygen Examples9.11. dnssec-revoke Utility9.11.1. dnssec-revoke Syntax9.11.2. dnssec-revoke Arguments9.11.3. dnssec-revoke Example9.12. dnssec-settime Utility9.12.1. dnssec-settime Syntax9.12.2. dnssec-settime Arguments9.13. dnssec-signzone Utility9.13.1. dnssec-signzone Syntax9.13.2. dnssec-signzone Arguments9.13.3. dnssec-signzone Examples9.14. Diagnosing DNS Problems9.14.1. Before the Problem Happens9.14.1.1. Log All Changes9.14.1.2. Back Up Files9.14.1.3. Logging9.14.1.4. Tools9.14.1.5. External Sources9.14.2. When the Problem Occurs9.14.2.1. Make No Assumptions9.14.2.2. Describe the Problem9.14.2.3. Scope the Problem9.14.2.4. Check Your Logs9.14.2.5. Start Digging9.14.2.6. Diagnosing the Problem9.15. Summary
III. DNS Security
10. DNS Secure Configurations
10.1. Security Overview and Audit10.1.1. DNS Normal Data Flow10.1.2. Security Classification10.2. Administrative Security10.2.1. Up-to-Date Software10.2.2. Limit Functionality10.2.2.1. Defensive Configuration10.2.2.2. Deny All, Allow Selectively10.2.2.3. Remote Access10.2.3. Limit Permissions10.2.4. Running BIND 9 As Nonroot10.2.4.1. Setting the Run Time UID of BIND10.2.4.2. Setting Permissions for the UID10.2.5. BIND 9 in a Chroot Jail10.2.5.1. Fedora Core bind-chroot Package10.2.5.2. FreeBSD 8.x10.2.5.3. Manual Configuration of Chroot Jail10.2.5.3.1. Linux (Ubuntu Server 10.04) Chroot10.2.5.3.2. FreeBSD 8.1 Chroot10.2.5.4. Dedicated Server10.2.6. Stream the Log10.2.7. Software Diversity10.3. A Cryptographic Overview10.3.1. Symmetric Cryptography10.3.2. Asymmetric Cryptography10.3.3. Message Digests10.3.4. Message Authentication Codes10.3.5. Digital Signatures10.3.6. DNS Cryptographic Use10.4. Securing Zone Transfers10.4.1. Authentication and Integrity of Zone Transfers10.4.2. TSIG Configuration10.5. Securing Dynamic Updates10.5.1. TSIG DDNS Configuration10.5.2. SIG(0) Configuration10.6. Summary
11. DNSSEC
11.1. Base DNSSEC Theory11.1.1. Islands of Security11.1.2. Chains of Trust11.1.3. Securing or Signing the Zone11.1.4. Secure Zone Maintenance11.1.4.1. The Prepublish Method11.1.4.2. The Double-Signing Method11.1.4.3. Key Rollover Summary11.1.5. Secure Delegation11.1.6. Dynamic DNS and DNSSEC11.1.7. DNSSEC and Performance11.2. DNSSEC Base Examples11.2.1. Securing the example.com Zone11.2.1.1. Verifying the Signed Zone11.2.1.2. PNE with Signed Zones11.2.2. Establishing a Trusted Anchor11.2.2.1. Using a Trusted Anchor11.2.2.2. DNSSEC Logging11.2.3. Signing the sub.example.com Zone11.2.4. Creating the Chain of Trust11.2.5. Key Rollover11.2.5.1. Prepublish ZSK Rollover11.2.5.2. Double-signing KSK Rollover11.3. DNSSEC Enhancements11.3.1. NSEC3/Opt-Out11.3.2. Validating Resolvers11.3.3. Key Handling Automation11.3.3.1. Compromised Key Recovery11.3.3.2. Removing a Trusted-Anchor11.3.3.3. Key Handling Summary11.4. DNSSEC Lookaside Validation11.4.1. DLV Service11.5. DNSSEC Implementation11.5.1. DNSSEC Algorithms and Keys11.5.1.1. Key Management11.5.1.2. Key Sizes and Algorithms11.5.1.3. Key Life Cycle Management11.5.1.4. Key Life-Cycle Examples11.5.2. BIND Signing Models11.5.2.1. Offline vs. Online11.5.2.2. Offline Smart Signing11.5.3. DNSSEC Implementation - A Plan11.6. Summary
12. BIND 9 Configuration Reference
12.1. BIND Command Line12.1.1. BIND Debug Levels12.1.2. BIND Signals12.2. BIND Configuration Overview12.2.1. Layout Styles12.2.2. named-checkconf Is Your Friend12.3. BIND Clauses12.3.1. BIND address_match_list Definition12.3.2. BIND acl Clause12.3.2.1. acl Clause Syntax12.3.3. BIND controls Clause12.3.4. BIND include Statement12.3.5. BIND key Clause12.3.5.1. key Clause Syntax12.3.6. BIND logging Clause12.3.6.1. logging Clause Syntax12.3.7. BIND lwres Clause12.3.7.1. lwres Clause Syntax12.3.8. BIND managed-keys Clause12.3.8.1. managed-keys Clause Syntax12.3.9. BIND masters Clause12.3.9.1. masters Clause Syntax12.3.10. BIND options Clause12.3.10.1. options Clause Syntax12.3.11. BIND server Clause12.3.11.1. server Clause Syntax12.3.12. BIND statistics-channels Clause12.3.13. BIND trusted-keys Clause12.3.14. BIND view Clause12.3.14.1. view Clause Syntax12.3.15. BIND zone Clause12.3.15.1. zone Clause Syntax12.4. BIND Statements12.5. BIND controls Statements12.5.1. inet Statement12.5.1.1. inet Statement Syntax12.6. BIND logging Statements12.6.1. channel Statement12.6.1.1. channel Statement Syntax12.6.2. category Statement12.6.2.1. category Statement Syntax12.7. BIND lwres Statements12.7.1. view12.7.2. search12.7.3. ndots12.8. BIND Transfer Statements12.8.1. allow-notify12.8.2. allow-transfer12.8.3. allow-update-forwarding12.8.4. also-notify12.8.5. alt-transfer-source, alt-transfer-source-v612.8.6. ixfr-from-differences12.8.7. max-journal-size12.8.8. max-refresh-time, min-refresh-time12.8.9. max-retry-time, min-retry-time12.8.10. max-transfer-idle-in12.8.11. max-transfer-idle-out12.8.12. max-transfer-time-in12.8.13. max-transfer-time-out12.8.14. multi-master12.8.15. notify12.8.16. notify-delay12.8.17. notify-source, notify-source-v612.8.18. notify-to-soa12.8.19. provide-ixfr12.8.20. request-ixfr12.8.21. serial-query-rate12.8.22. transfer-format12.8.23. transfer-source, transfer-source-v612.8.24. transfers-in12.8.25. transfers-per-ns12.8.26. transfers-out12.8.27. use-alt-transfer-source12.9. BIND Operations Statements12.9.1. avoid-v4-udp-ports, avoid-v6-udp-ports12.9.2. check-names12.9.3. check-dup-records, check-mx, check-wildcard12.9.4. check-integrity, check-mx-cname, check-sibling, check-srv-cname12.9.5. cleaning-interval12.9.6. coresize12.9.7. database12.9.8. datasize12.9.9. dialup12.9.10. directory12.9.11. disable-empty-zone, empty-contact, empty-server, empty-zones-enable12.9.12. dual-stack-server12.9.13. dump-file12.9.14. files12.9.15. flush-zones-on-shutdown12.9.16. heartbeat-interval12.9.17. hostname12.9.18. interface-interval12.9.19. journal12.9.20. lame-ttl12.9.21. listen-on12.9.22. listen-on-v612.9.23. match-mapped-addresses12.9.24. max-cache-size12.9.25. max-cache-ttl12.9.26. max-journal-size12.9.27. max-ncache-ttl12.9.28. memstatistics12.9.29. memstatistics-file12.9.30. pid-file12.9.31. port12.9.32. preferred-glue12.9.33. querylog12.9.34. recursing-file12.9.35. request-nsid12.9.36. reserved-sockets12.9.37. server-id12.9.38. stacksize12.9.39. statistics-file12.9.40. tcp-clients12.9.41. tcp-listen-queue12.9.42. try-tcp-refresh12.9.43. version12.9.44. zone-statistics12.9.45. zero-nosoa-ttl, zero-no-soa-ttl-cache12.10. BIND Performance Statements12.10.1. acache-cleaning-interval, acache-enable, max-acache-size12.10.2. attach-cache12.10.3. edns-udp-size12.10.4. max-udp-size12.10.5. minimal-responses12.11. BIND Query Statements12.11.1. additional-from-auth, additional-from-cache12.11.2. allow-query, allow-query-on12.11.3. allow-query-cache, allow-query-cache-on12.11.4. allow-recursion, allow-recursion-on12.11.5. auth-nxdomain12.11.6. blackhole12.11.7. clients-per-query, max-clients-per-query12.11.8. delegation-only12.11.9. forward12.11.10. forwarders12.11.11. query-source, query-source-v612.11.12. recursion12.11.13. recursive-clients12.11.14. root-delegation-only12.11.15. rrset-order12.11.16. sortlist12.11.16.1. sortlist Statement Syntax12.12. BIND Security Statements12.12.1. algorithm12.12.2. allow-update12.12.3. auto-dnssec12.12.4. bindkeys-file12.12.5. deny-answer-addresses, deny-answer-aliases12.12.6. disable-algorithms12.12.7. dnssec-accept-expired12.12.8. dnssec-dnskey-kskonly12.12.9. dnssec-enable12.12.10. dnssec-lookaside12.12.11. dnssec-must-be-secure12.12.12. dnssec-secure-to-insecure12.12.13. dnssec-validation12.12.14. key-directory12.12.15. managed-keys-directory12.12.16. random-device12.12.17. secret12.12.18. secroots-file12.12.19. session-keyfile, session-keyname, session-keyalg12.12.20. sig-signing-nodes, sig-signing-signatures12.12.21. sig-signing-type12.12.22. sig-validity-interval12.12.23. tkey-dhkey12.12.24. tkey-domain12.12.25. tkey-gssapi-credential12.12.26. update-check-ksk12.12.27. use-v4-udp-ports, use-v6-udp-ports12.12.28. update-policy12.13. BIND server Statements12.13.1. bogus12.13.2. edns12.13.3. keys12.13.4. transfers12.14. BIND view Statements12.14.1. match-clients12.14.2. match-destinations12.14.3. match-recursive-only12.15. BIND zone Statements12.15.1. check-names12.15.2. file12.15.3. masterfile-format12.15.4. masters12.15.5. type12.16. Summary
13. Zone File Reference
13.1. DNS Zone File Structure13.2. DNS Directives13.2.1. The $ORIGIN Directive13.2.1.1. The $ORIGIN Substitution Rule13.2.1.2. The $ORIGIN Syntax13.2.2. The $INCLUDE Directive13.2.2.1. $INCLUDE Syntax13.2.3. The $TTL Directive13.2.3.1. $TTL Syntax13.2.4. The $GENERATE Directive13.2.4.1. $GENERATE Syntax13.3. DNS Resource Records13.3.1. Resource Record Common Format13.3.1.1. The name Field13.3.1.2. Internationalized Domain Names for Applications (IDNA)13.3.1.3. The ttl Field13.3.1.4. The class Field13.3.1.5. The type Field13.3.1.6. The type-specific-data Field13.3.1.7. Bit Labels13.3.2. RRsets13.4. Resource Record Descriptions13.4.1. IPv4 Address (A) Record13.4.1.1. A RR Syntax13.4.2. Experimental IPv6 Address (A6) Record13.4.2.1. A6 RR Syntax13.4.3. IPv6 Address (AAAA) Record13.4.3.1. AAAA RR Syntax13.4.4. AFS Database (AFSDB) Record13.4.4.1. AFSDB RR Syntax13.4.5. Address Prefix List (APL) Record13.4.5.1. APL RR Syntax13.4.6. ATM Address (ATMA) Record13.4.7. Certificate (CERT) Record13.4.7.1. CERT RR Syntax13.4.8. Canonical Name (CNAME) Record13.4.8.1. CNAME RR Syntax13.4.9. Delegation of Reverse Names (DNAME) Record13.4.9.1. DNAME RR Syntax13.4.10. DHCID Record13.4.10.1. DHCID RR Syntax13.4.11. DLV Record13.4.12. DNSKEY Record13.4.12.1. DNSKEY RR Syntax13.4.13. Delegation Signer (DS) Record13.4.13.1. DS RR Syntax13.4.14. System Information (HINFO) Record13.4.14.1. HINFO RR Syntax13.4.15. Host Identity Protocol (HIP) Record13.4.15.1. HIP RR Syntax13.4.16. Integrated Services Digital Network (ISDN) Record13.4.16.1. ISDN RR Syntax13.4.17. IPSEC Key (IPSECKEY) Record13.4.17.1. IPSECKEY RR Syntax13.4.18. Public Key (KEY) Record13.4.18.1. KEY RR Syntax13.4.19. Key Exchanger (KX) Record13.4.19.1. KX RR Syntax13.4.20. Location (LOC) Record13.4.20.1. LOC RR Syntax13.4.21. Mailbox (MB) Record13.4.21.1. MB RR Syntax13.4.22. Mail Group (MG) Record13.4.22.1. MG RR Syntax13.4.23. Mailbox Renamed (MR) Record13.4.23.1. MR RR Syntax13.4.24. Mailbox Mail List Information (MINFO) Record13.4.24.1. MINFO RR Syntax13.4.25. Mail Exchange (MX) Record13.4.25.1. MX RR Syntax13.4.25.2. Subdomain MX Records13.4.26. Naming Authority Pointer (NAPTR) Record13.4.26.1. NAPTR RR Syntax13.4.27. Name Server (NS) Record13.4.27.1. NS RR Syntax13.4.28. Network Service Access Point (NSAP) Record13.4.28.1. NSAP RR Syntax13.4.29. Next Secure (NSEC) Record13.4.29.1. NSEC RR Syntax13.4.30. Next Secure 3 (NSEC3) RR13.4.30.1. NSEC3 RR Syntax13.4.31. Next Secure 3 Parameter (NECS3PARAM) RR13.4.31.1. NSEC3PARAM RR Syntax13.4.32. Pointer (PTR) Record13.4.32.1. PTR RR Syntax13.4.33. X.400 to RFC 822 E-mail (PX) Record13.4.33.1. PX RR Syntax13.4.34. Responsible Person (RP) Record13.4.34.1. RP RR Syntax13.4.35. Resource Record Signature (RRSIG) Record13.4.35.1. RRSIG RR Syntax13.4.36. Route Through (RT) Record13.4.36.1. RT RR Syntax13.4.37. Signature (SIG) Record13.4.37.1. SIG RR Syntax13.4.38. Start of Authority (SOA) Record13.4.38.1. SOA RR Syntax13.4.39. Sender Policy Framework (SPF) Record13.4.40. Services (SRV) Record13.4.40.1. SRV RR Syntax13.4.41. SSH Key Fingerprint (SSHFP) Record13.4.41.1. SSHFP RR Syntax13.4.42. Text (TXT) Record13.4.42.1. TXT RR Syntax13.4.43. Well-Known Service (WKS) Record13.4.43.1. WKS RR Syntax13.4.44. X.25 Address (X25) Record13.4.44.1. X25 RR Syntax13.4.45. Alternative Cryptographic Algorithms13.5. User-Defined RRs13.6. Summary
IV. Programming
14. BIND APIs and Resolver Libraries
14.1. DNS Libraries and APIs14.2. POSIX Library14.3. BIND 9 DNS Libraries14.3.1. Building BIND 9 Libraries14.3.2. DNSSEC Aware getaddrinfo() and getnameinfo()14.3.3. DNSSEC POSIX enhanced Calls14.3.4. Configuring for DNSSEC Validation14.3.5. Including Enhanced POSIX Functions in Applications14.3.6. BIND Library Functions14.4. BIND API Overview14.4.1. Advanced Database API (adb)14.4.2. Simple Database API (sdb)14.5. The Simple Database API (sdb)14.5.1. Callback Overview14.5.1.1. create()14.5.1.2. destroy()14.5.1.3. lookup()14.5.1.4. authority()14.5.1.5. allnodes()14.5.2. Registering the Callbacks14.5.2.1. dns_sdb_register() Function14.5.2.2. dns_sdc_unregister() Function14.5.2.3. isc_result_t Return Codes14.5.3. Adding the Driver to BIND14.5.3.1. Header File Insertion14.5.3.2. Initialization Function Insertion14.5.3.3. Termination Function Insertion14.5.3.4. Makefile.in Insertion14.5.4. The Callback Functions14.5.4.1. create() Callback Function14.5.4.2. destroy() Callback Function14.5.4.3. lookup() Callback Function14.5.4.4. authority() Callback Function14.5.4.5. allnodes() Callback Function14.5.5. Returning RRs14.5.5.1. dns_sdb_putrr() Function14.5.5.2. dns_sdb_putrdata() Function14.5.5.3. dns_sdb_putsoa() Function14.5.5.4. dns_sdb_putnamedrr() Function14.5.5.5. dsn_sdb_putnamedrdata() Function14.5.6. Memory Management for Drivers14.5.6.1. isc_mem_get() Function14.5.6.2. isc_mem_free() Function14.5.7. Logging for Drivers14.5.7.1. isc_log_write() Function14.5.8. Testing the Driver14.5.8.1. Building BIND14.5.9. sdb Sample Driver14.5.9.1. Source Module (example.c)14.5.9.2. Header File (example.h)14.6. Summary
15. DNS Messages and Records
15.1. DNS Message Formats15.1.1. DNS Message Overview15.1.2. DNS Message Format15.1.3. DNS Message Header15.1.4. DNS QUESTION SECTION15.1.5. DNS ANSWER, AUTHORITY, and ADDITIONAL SECTIONS15.1.5.1. NAME Field Format15.1.5.2. Non-EDNS0 Record Format15.1.6. EDNS0 Transactions15.1.7. OPT Pseudo RR Format15.2. DNS Binary RR Format15.2.1. Security Algorithm Formats15.2.1.1. Algorithm 5 (RSA-SHA-1) and 7 (RSASHA1-NSEC3-SHA1)15.2.2. NSEC/NSEC3 Bitmap Format15.3. Summary
V. Appendixes
A. DNS Registration and Governance
A.1. Answers
B. DNS RFCs

Overview

Pro DNS and BIND 10 guides you through the challenging array of features surrounding DNS with a special focus on the latest release of BIND, the world's most popular DNS implementation. This book unravels the mysteries of DNS, offering insight into origins, evolution, and key concepts like domain names and zone files. This book focuses on running DNS systems based on BIND 10, the first stable release that includes support for the latest DNSSEC standards.

Whether you administer a DNS system, are thinking about running one, or you simply want to understand the DNS system, then this book for you. Pro DNS and BIND 10 starts with simple concepts, then moves on to full security-aware DNSSEC configurations. Various features, parameters, and Resource Records are described and illustrated with examples.

The book contains a complete reference to zone files, Resource Records, and BIND's configuration file parameters. You can treat the book as a simple paint-by-numbers guide to everything from a simple caching DNS to the most complex secure DNS (DNSSEC) implementation. Background information is included for when you need to know what to do and why you have to do it, and so that you can modify processes to meet your unique needs.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781430230489Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills