Chapter 18 BIND Domain Name Server Administration

  Table of Contents

  Glossary

  Index

The Domain Name System (DNS) is a hierarchical, distributed database that stores information for mapping Internet host names to IP addresses and vice versa. It also stores mail routing information and other data used by Internet applications.

The Internet Express version of the Berkeley Internet Name Domain (BIND) implements a domain name server for the Tru64 UNIX operating system.

This chapter provides information that helps you enable the latest version of BIND and manage the BIND server. It contains the following sections:

BIND Overview

The Internet Domain Name System (DNS) consists of the syntax to specify the names of entities in the Internet in a hierarchical manner, the rules used for delegating authority over names, and the system implementation that actually maps names to Internet addresses. The Internet Express version of the Berkeley Internet Name Domain (BIND) implements a domain name server for the Tru64 UNIX operating system. Using BIND, DNS data is maintained in a group of hierarchical databases.

Clients look up information in DNS by calling a resolver library. This library sends queries to one or more name servers and interprets the responses. BIND Version 9.2.0, provided with Internet Express, is a complete rewrite of the Internet Software Consortium's BIND code base that contains both a name server and a resolver library.

Important BIND Files and Directories

Table 18-1 contains information about files, commands, and reference pages that helps you administer your BIND server. For further information about performing specific BIND administrative tasks, see the BIND administrator's reference and other information from the BIND Web site:

http://www.isc.org/products/BIND/bind9.html 

Table 18-1 BIND Files and Directories

DirectoryContents
/usr/sbin/bind9enableScript that switches the version of BIND from Version 8 to Version 9.2.0, and back again.
/usr/sbin/init.d/namedScript that starts and stops the service.
/usr/sbin/Location of BIND binary files. See Table 18-2 for descriptions of these files.
/usr/lib/bind9Location of static and shared libraries.
usr/internet/docs/bind9/Location of BIND documentation. See Section : BIND Documentation for complete information about the contents of this directory and other BIND documentation.
/usr/share/man/Location of BIND reference pages.
usr/include/bind9BIND Version 9.2.0 header files. Existing header files for older versions of BIND are not overwritten. These files are placed in a subdirectory under the bind9 directory.
 

Table 18-2 describes the contents of the binary file directories. See the BIND reference pages and the BIND Administrator Reference Manual (/usr/internet/docs/bind9/arm) for additional information about these files.

Table 18-2 BIND Binary File Directories

FileDescription
/usr/sbin/lwresdLightweight Resolver Daemon – Experimental daemon that provides name lookup services to clients using the BIND Version 9.2.0 lightweight resolver library. A simplified caching-only name server that answers queries using the BIND version 9.2.0 lightweight resolver protocol, rather than the DNS protocol.
/usr/sbin/named9BIND Version 9.2.0 Internet domain name server.
/usr/sbin/rndcRemote Named Daemon Control.
/usr/sbin/rndc-confgenScript to assist creation of /etc/namedb9/rndc.conf and /etc/namedb9/named.conf excerpts.
/usr/sbin/dnssec-keygenDNSSEC key generation tool – Generates keys for DNSSEC (Secure DNS), as defined in RFC 2535. Also generates keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
/usr/sbin/dnssec-makekeysetDNSSEC zone signing tool – Generates a key set from one or more keys created by dnssec-keygen. Creates a file containing a KEY record for each key, and self-signs the key set with each zone key. The output file is of the form keyset-nnnn, where nnnn is the zone name
/usr/sbin/dnssec-signkeyDNSSEC zone signing tool – Signs a key set. Typically, the key set will be for a child zone and will have been generated by dnssec-makekeyset. The child zone's keyset is signed with the zone keys for its parent zone. The output file is of the form signedkey-nnnn, where nnnn is the zone name.
/usr/sbin/dnssec-signzoneDNSSEC zone signing tool – Signs a zone. Generates NXT and SIG records and produces a signed version of the zone. If there is a signedkey file from the zone's parent, the parent's signatures will be incorporated into the generated signed zone file. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a signedkey file for each child zone.
/usr/sbin/named-checkconfNamed configuration file syntax checking tool – Checks the syntax, but not the semantics, of a named configuration file.
/usr/sbin/named-checkzoneZone file validity checking tool – Checks the syntax and integrity of a zone file. It is useful for checking zone files before configuring them into a name server. Performs the same checking as namedwhen loading a zone.
/usr/bin/digDNS lookup utility dig (domain information groper) – Interrogates DNS name servers. This tool performs DNS lookups and displays the answers that are returned from the name server (or servers) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use, and clarity of output. Other lookup tools tend to have less functionality than dig.
/usr/bin/hostDNS lookup utility host – Performs DNS lookups. This utility is normally used to convert names to IP addresses and vice versa.
/usr/bin/nslookup9DNS lookup utility – Displays the following message: “Note: nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing.”
/usr/bin/nsupdateDynamic DNS update utility – Submits Dynamic DNS Update requests as defined in RFC 2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.

 

Enabling BIND

The enable script, /usr/sbin/bind9enable, enables either BIND Version 9.2.0 or BIND Version 8.

To enable a version of BIND:

  1. Run the rndc-confgen key generation tool. This tool provides a convenient method for generating configuration files for the rndc name server control utility and must be run prior to enabling a version of BIND. See the README.1st file in the documentation provided with the software for more information and review the BIND documentation in Section : BIND Documentation. For specific information about the rndc-confgen key generation tool, see the rndc-confgen(8) reference page. For information about the rndc name server control utility and associated configuration file, see the rndc(8) and rndc.conf(5) reference pages.

  2. Use one of the following methods to enable either BIND Version 9.2.0 or BIND Version 8:

    • To enable BIND Version 9.2.0, enter /usr/sbin/bind9enable v9 from the UNIX command prompt.

      The enabler script copies sbin/init.d/named9 to sbin/init.d/named, allowing BIND Version 9.2.0 to run. See Section : Running the BIND Startup Script for information on starting the BIND Version 9.2.0 server.

    • To enable BIND Version 8, enter /usr/sbin/bind9enable v8 from the UNIX command prompt.

      The enabler script copies sbin/init.d/named8 to sbin/init.d/named, allowing BIND Version 8 to run. This version of BIND reverts back to the currently installed version of BIND. See Section : Running the BIND Startup Script for information on starting the BIND Version 8 server.

  3. The sysman utility adds a directory statement in the options section of /etc/namedb/named.conf upon configuration of a BIND server. The /usr/sbin/bind9enable script copies the datafiles from /etc/namedb to /etc/namedb9. The network administrator will need to either remove the directory statement to permit named9 to read files from its default location (/etc/namedb9) or the administrator may update this statement to reflect the new location.

By default, the named daemon is built to read files from the sbin/init.d/ directory. You can change this default with an options statement in your named.conf file.

If you cluster a standalone system, you must rerun /usr/sbin/bind9enable.

Note:

Do not manually start the named daemon. The named daemon should not be run on more than one cluster member or attempt to start multiple daemons on a singe host.

Running the BIND Startup Script

After enabling the BIND Version 9.2.0 or BIND Version 8 server (Section : Enabling BIND), start the BIND server from the UNIX command prompt as follows:

  1. Enter /sbin/init.d/named start.

  2. Enter /sbin/rcinet start.

  3. Reboot the system.

BIND Version 9.2.0 will run on Tru64 UNIX Version 5.0A and later. Tru64 UNIX Version 5.1B also provides the /dev/random device to provide entropy. The BIND Version 9.2.0 tools provide an option to point to/dev/random. For example:

On V5.0A
ps auxw  > /tmp/foo; rndc-confgen -r /tmp/foo
On V5.1B
rndc-confgen -r /dev/random

Refer to the reference pages in /usr/share/man for more information about this option.

BIND Documentation

Internet Express provides a collection of documentation for BIND Version 9.2.0 in the /usr/internet/docs/bind9/ directory:

  • COPYRIGHT — Copyright information

  • FAQ — Frequently asked questions.

  • CHANGES — Build changes and bug fixes.

  • arm – BIND Administrator Reference Manual in HTML format.

  • dnssec — Summarizes the state of the DNSSEC implementation in this release of BIND. To support DNSSEC, BIND Version 9.2.0 must be linked with the OpenSSL library Version 0.9.5a or higher.

  • format-options.pl — summarizes the named.conf options supported by this version of BIND.

  • ipv6 — Discusses compile-time and run-time issues for using IPv6 with BIND Version 9.2.0.

  • migration — Discusses issues with upgrading a BIND 8 installation to BIND Version 9.2.0.

  • migration-4to9 — Describes how to transition from BIND Version 4 to BIND Version 9.2.0 using the contrib/named-bootconf conversion tool.

  • options — Summarizes the named.conf options supported by this version of BIND.

  • rfc-compliance — Lists the RFCs for compliance with IETF standards.

  • README.1st — Provides important information about the Internet Express implementation of BIND Version 9.2.0.

  • roadmap — Provides a roadmap to the BIND Version 9.2.0 source tree.

  • sdb — Describes how to use and maintain the BIND Version 9.2.0 Simplified Database Interface, which allows you to extend BIND with new ways of obtaining the data published as DNS zones.

Reference pages for BIND are available from the Internet Express Reference Pages. You can also access them from /usr/share/man/.

Documentation for setting up a dynamic domain name server using BIND Version 9.2.0 can be found at the following URL:

 http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html

Additional information on BIND Version 9.2.0 can be found at the Internet Software Consortium's BIND Web site:

http://www.isc.org/products/BIND/bind9.html