Revision: $Revision: 482 $ ($Date: 2011-04-15 10:45:32 +0200 (Fri, 15 Apr 2011) $)
Resources and further reading: Albitz01, DNShowto, BINDfaq.
Candidates should be able to create a zone file for a forward or reverse zone or root level server. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
Key knowledge areas are: BIND 9 configuration files, terms and utilities; utilities to request information from the DNS server; layout, content and file location of the BIND zone files and various methods to add a new host in the zone files, including reverse zones.
Key files, terms and utilities include:
contents of /var/named |
zone file syntax |
resource record formats |
dig |
nslookup |
host |
There are zones and reverse
zones. Each named.conf will contain
definitions for both.
Examples of zones are
localhost (used internally) and
example.com (an external example which does not
necessarily exist in reality).
Examples of reverse zones are
127.in-addr.arpa (used internally), and
240.123.224.in-addr.arpa (a real-world example).
How zones are related to reverse zones is shown below.
A special domain, localhost, will
be predefined in most cases.
Here is the corresponding zone file
/etc/bind/db.local called from the
example named.conf shown earlier in this
chapter.
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
The @ contains the name of the zone. It is called
the current origin.
A zone statement in named.conf
defines that current origin, as is seen in
this part of the named.conf file we saw earlier:
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
So in this case the zone is called localhost and
all current origins in the zone file will become
localhost.
Other parts of a zone file will be explained in the section called “Zone files” below.
To each IP range in a zone file, there is a corresponding
reverse zone that is described in a
reverse zone file. Here is the file
/etc/bind/db.127:
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
This is the calling part from named.conf:
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
As can be seen, the current origin will be
127.in-addr.arpa, so all @'s in
the reverse zone file will be replaced by
127.in-addr.arpa.
But there is more: all host names that do not end in a dot get the current origin appended. This is important , so I repeat:
As an example: 1.0.0 will become
1.0.0.127.in-addr.arpa.
Normal IP addresses (e.g. 127.0.0.1) do not get the current origin appended.
Again, details about the reverse zone file will be discussed below.
The localhost and
127.in-addr.arpa zones are for internal use within
a system.
In the outside world, zones are hierarchically organized. The root
zone (denoted with a dot (.)) is listed in
a special hints file. The following zone statement from
named.conf reads a root zone file called
/etc/bind/db.root
zone "." {
type hint;
file "/etc/bind/db.root";
};
By the way, note the type: hint!
It is a special type for the root zone. Nothing else is stored in
this file, and it is not updated dynamically.
Here is a part from the db.root file.
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
Note the dot at the left, this is the root zone!
Either your distribution or you personally must keep the root zone
file current.
You can look at ftp.rs.internic.net for a new
version. Or, you could run something like
dig @a.root-servers.net . ns > roothints
This will create a new file.
You can also run
dig @a.root-servers.net . SOA
You can do this periodically to see if the SOA version number (see below) has changed.
The root zone knows about all top-level domains directly under it,
e.g., the edu and org domains
as well as the country-specific domains like uk
and nl.
If the example.org domain (used here for
illustration purposes) were a real domain, it would not be handled by
the root name servers. Instead, the nameservers for the
org domain would know all about it. This is called
delegation: the root name servers have
delegated authority for zones under
org to the name servers for the
org zone. Doing delegation yourself will be
explained later in the section called “Delegating a DNS zone”.
A zone file is read from the named.conf file with
a zone statement like
zone "example.org" IN {
type master;
file "/etc/bind/exampleorg.zone";
};
This is an example zone file for the zone
example.org.
$TTL 86400
@ IN SOA lion.example.org. dnsmaster.lion.example.org. (
2001110700 ; Ser: yyyymmhhee (ee: ser/day start 00)
28800 ; Refresh
3600 ; Retry
604800 ; Expiration
86400 ) ; Negative caching
IN NS lion.example.org.
IN NS cat.example.org.
IN MX 0 lion.example.org.
IN MX 10 cat.example.org.
lion IN A 224.123.240.1
IN MX 0 lion.example.org.
IN MX 10 cat.example.org.
doggy IN A 224.123.240.2
cat IN A 224.123.240.3
; our laptop
bird IN A 224.123.240.4
Let's examine this file in detail.
The $TTL is the default Time To
Live for the zone. When a name server requests information about this
zone, it also gets the TTL. After the TTL is expired, it should
renew the data in the cache.
$TTL 3h
This sets the default TTL to 3 hours, and
$TTL 86400
this one to 86400 seconds (same as 1d (1 day)).
Since BIND version 8.2 each zone file should start with a default TTL. A default value is substituted and a warning generated if the TTL is omitted. The change is defined in RFC2308.
At the same time, the last SOA time field changed meaning. Now it is the negative caching value, which is explained below.
The acronym SOA means Start Of Authority.
It tells the outside world that this name server
is recognized as the authoritative name server to query about this
domain.
This has two aspects: first, the parent zone org
has delegated (granted) the use of the
example.org domain to us, the second is that we
claim to be the authority over this zone.
Earlier we saw the following SOA record:
@ IN SOA lion.example.org. dnsmaster.lion.example.org. (
2001110700 ; Ser: yyyymmhhee (ee: ser/day start 00)
28800 ; Refresh
3600 ; Retry
604800 ; Expiration
86400 ) ; Negative caching
Elements of these SOA lines are
@
the current origin, which expands to
example.org (see the named.conf file).
INthe Internet data class. Don't ask.
SOAstart of authority - that's what this section is about
lion.example.org.the name of the machine that has the master (see the section called “Master and slave servers”) name server for this domain.
The email address of the person to mail in case of trouble,
with the commercial at symbol (@)
normally in the email address replaced by a dot. Uncovering
the reason for this is left as an exercise for the reader
(something with current origin .....?)
(
five numbers
)
The first number is the serial number. For a zone
definition that never changes (e.g., the
localhost zone) a single
1 is enough.
For zones that do change, however, another format is
rather common: yyyymmddee.
That is, 4 digits for the year, two for the month,
two for the day, plus two digits that start with
00 and are incremented every time
something is changed.
For example a serial number of
2001110701
corresponds to the second (!) change of the 7th of
November in the year 2001. The next day, the first
change will get the serial number
2001110800.
Each time something is changed in a zone definition, the serial number must grow (by at least one). If the serial number does not grow, changes in the zone will go unnoticed.
The second number is the refresh rate. This is how frequently a slave server (see below) should check to see whether data has been changed.
Suggested value in rfc1537: 24h
The third number is the retry value. This is the time a slave server must wait before it can retry after a refresh or failure, or between retries.
Suggested value in rfc1537: 2h
The fourth number is the expiration value. If a slave server cannot contact the master server to refresh the information, the zone information expires and the slave server will stop serving data for this zone.
Suggested value in rfc1537: 30d
The fifth number is the negative caching value TTL. Negative caching means that a DNS server remembers that it could not resolve a specific domain. The number is the time that this memory is kept.
Reasonable value: 1h
This is the address record. It connects an IP address to a hostname. An example record is
lion IN A 224.123.240.1
This connects the name lion.example.org
(remember that the current origin example.org
is added to any name that does not end in a dot) to the IP address
224.123.240.1.
Each A record has a corresponding
PTR record. This is described in
the section called “Reverse zone files”.
The A record is used by IPv4, the current version of the IP protocol.
The next generation of the protocol, IPv6, has an
A6 record type.
IPv6 is not discussed here.
A CNAME record specifies another name for
a host with an A record.
An example of a combined A and
CNAME record is
cat IN A 224.123.240.3
www IN CNAME cat.example.org.
This makes www.example.org point to
cat.example.org.
Specifies a name server for the zone. For example
@ IN SOA .....
IN NS lion.example.org.
IN NS cat.example.org.
The first thing that catches one's eye is that there is nothing
before the IN tag in the NS lines. In this case, the current origin
that was specified earlier (here with the SOA) is
still valid as the current origin.
The name servers must be specified as IP addresses (can you guess why?).
There must be at least two independent name servers for each domain. Independent means connected to separate networks, separate power lines, etc. See the section called “Master and slave servers” below.
The MX record system is used by the mail transfer system, e.g., the
sendmail daemons.
The number after the MX tag is the priority.
A priority of 0 is the highest priority.
The higher the number, the lower the priority. Priority 0
will be used for the host where the mail is destined. If that host
is down, another host with a lower priority will temporarily store
the mail.
Example entries
lion IN A 224.123.240.1
IN MX 0 lion.example.org.
IN MX 10 cat.example.org.
So this example specifies that mail for
lion.example.org is first sent to
lion.example.org. If that host is down,
cat.example.org is used instead.
To distribute mail equally among two hosts, give them the same
priority. That is, if another host with priority
10 is added, they will both receive a share of
mail when lion.example.org is down.
Mail can be delivered to a host, as was shown in the previous section. But the Mail Transfer Agent (MTA) and the DNS can be configured in such a way that a host accepts mail for a domain.
Considering our example, host lion.example.org
can be configured to accept mail for example.org.
To implement this, place MX records for
example.org, e.g.:
; accept mail for the domain too
example.org. IN MX 0 lion.example.org.
example.org. IN MX 10 cat.example.org.
in the example.org zone file.
Mail addressed to example.org will only be
accepted by the MTA on lion.example.org host
if the MTA is configured for this.
Each IP range has a reverse zone, that consists
of part of the IP numbers in reverse order, plus
in-addr.arpa. This system is used amongst others,
to check if a hostname belongs to a specified address.
Our example.org domain uses the IP range
224.123.240.x.
The corresponding reverse zone is called
240.123.224.in-addr.arpa. In
named.conf this could be the corresponding
entry:
zone "240.123.224.in-addr.arpa" IN {
type master;
file "/etc/bind/exampleorg.rev";
};
An example /etc/bind/exampleorg.rev
(corresponding to the example.org domain we saw
earlier) is:
$TTL 86400
@ IN SOA lion.example.org. dnsmaster.lion.example.org. (
2001110700 ; Ser: yyyymmhhee (ee: ser/day start 00)
28800 ; Refresh
3600 ; Retry
604800 ; Expiration
86400 ) ; Negative caching
IN NS lion.example.org.
IN NS cat.example.org.
1 IN PTR lion.example.org.
2 IN PTR doggy.example.org.
3 IN PTR cat.example.org.
4 IN PTR bird.example.org.
The current origin is 240.123.224.in-addr.arpa,
so the entry for bird actually is
4.240.123.224.in-addr.arpa IN PTR bird.example.org.
What happens if you omit the dot after
example.org in this line?
Each zone (except the ones local to the machine, such as
localhost) must have at least one
master name server. It can be supported by one or
more slave name servers.
There should be two independent name servers for each zone. Independent means connected to a different network and other power supplies. If one power plant or network fails the resolving names from the zone must still be possible. A good solution for this is one master and one slave name server at different locations.
Both master and slave name servers are authoritative for the zone (if the zone was delegated properly, see the section called “Delegating a DNS zone”). That is, they both give the same answers about the zone.
The data of a zone originate on a master name server for that zone. The slave name server copies the data from the master. Other name servers can contact either a master or a slave to resolve a name.
This implies that the configuration must handle
slave name server access control on the master
other name server access control on both master and slave name servers
A zone definition is defined as master by using the
type master;
statement inside a zone definition.
See, for example, this zone statement (in
named.conf)
zone "example.org" IN {
type master;
file "/etc/bind/exampleorg.zone";
};
defines the example.org master.
Of course,
The exampleorg.zone file must, of course, be
created as discussed earlier.
There can be multiple independent master name servers for the same zone.
A notify statement controls whether or not the
master sends DNS NOTIFY messages upon change of a master zone.
The notify statement can be put in a
zone statement as well as in an
options statement. If one is present in both the
zone and options statements, the
former takes precedence.
When a slave receives such a NOTIFY request (and supports it), it
initiates a zone transfer to the master immediately to update the zone
data. The default is notify yes;. To turn it off
(when, e.g., a zone is served by masters only) set notify
no;.
How does the master know which slave servers serve the same zone?
It inspects the NS records defined for the zone.
Extra slave servers can be specified with the
also-notify statement (see the named.conf(5)
manpage).
Older versions of BIND used the term primary instead of master.
A zone definition is defined as slave by using the
type slave;
statement inside a zone definition, accompanied by the IP address(es)
of the master(s).
Here, for example, is the zone statement (in
named.conf), which defines a
example.org slave:
zone "example.org" IN {
type slave;
masters { 224.123.240.1; }; // lion
file "db.example.org";
};
The file is created by the slave name server itself. The slave has no
data for example.org. Instead, a slave receives
its data from a master name server and stores it in the specified
file.
Note that the filename has no directory component. Hence it will be
written in the BIND working directory given by the
directory option in
named.conf. For instance,
/var/cache/bind or
/var/named.
The name server must have write access to the file.
Older versions of BIND used the term secondary instead of slave.
There are two ways to create a subdomain: inside a zone or as a delegated zone.
The first is to put a subdomain inside a normal zone file.
The subdomain will not have its own
SOA and NS records.
This method is not recommended - it is harder to maintain and may
produce administrative problems, such as signing a zone.
The other method is to delegate the subdomain to a separate zone. It is described next.
A real, independent subdomain can be created by configuring the
subdomain as an independent zone (having its own
SOA and NS records) and
delegating that domain from the parent domain.
A zone will only be authoritative if the parent
zone has delegated its authority to the zone. For example, the
example.org domain was delegated by the
org domain.
Likewise, the example.org domain could delegate
authority to an independent scripts.example.org
domain. The latter will be independent of the former and have its
own SOA and NS records.
Let's look at an example file of the
scripts.example.org zone:
$ORIGIN scripts.example.org.
ctl IN A 224.123.240.16
IN MX 0 ctl
IN MX 10 lion.example.org.
www IN CNAME ctl
perl IN A 224.123.240.17
IN MX 0 perl
IN MX 10 ctl
IN MX 20 lion.example.org.
bash IN A 224.123.240.18
IN MX 0 bash
IN MX 10 ctl
IN MX 20 lion.example.org.
sh IN CNAME bash
Nothing new, just a complete zone file.
But, to get it authoritative, the parent domain, which is
example.org in this case, must
delegate its authority to the
scripts.example.org zone.
This is the way to delegate in the example.org
zone file:
scripts 2d IN NS ctl.scripts.example.org.
2d IN NS bash.scripts.example.org.
ctl.scripts.example.org. 2d IN A 224.123.240.16
bash.scripts.example.org. 2d IN A 224.123.240.18
That's all!
The NS records for scripts
do the actual delegation.
The A records must be present,
otherwise the name servers of scripts cannot be
located.
It is advised to insert a TTL field
(like the 2d in the example).
Three DNS utilities can help to resolve names and even debug a DNS zone.
They are called dig, host
and nslookup. All three are part of the BIND source
distribution.
The dig command lets you resolve names in a way
that is close to the setup of a zone file.
For instance, you can do
dig bird.example.org A
This will do a lookup of the A record of
bird.example.org.
Part of the output looks like this:
;; ANSWER SECTION:
bird.example.org. 1D IN A 224.123.240.4
;; AUTHORITY SECTION:
example.org. 1D IN NS lion.example.org.
;; ADDITIONAL SECTION:
lion.example.org. 1D IN A 224.123.240.1
If dig shows a SOA record
instead of the requested A record, then the domain
is ok, but the requested host does not exist.
It is even possible to query another name server instead of the one(s)
specified in /etc/resolv.conf:
dig @cat.example.org bird.example.org A
This will query name server cat.example.org for the
A record of host bird.
The name server that was contacted for the query will be listed
in the tail of the output.
The dig can be used to test or debug your
reverse zone definitions.
For instance,
dig 4.240.123.224.in-addr.arpa PTR
will test the reverse entry for the lion host.
You should expect something like this:
;; ANSWER SECTION:
4.240.123.224.in-addr.arpa. 1D IN PTR lion.example.org.
;; AUTHORITY SECTION:
240.123.224.in-addr.arpa. 1D IN NS lion.example.org.
;; ADDITIONAL SECTION:
lion.example.org. 1D IN A 224.123.240.4
If you get something like
;; ANSWER SECTION:
4.240.123.224.in-addr.arpa. 1D IN PTR lion.example.org.240.123.224.in-addr.arpa.
you've made an error in your zone file.
Given a current origin of
240.123.224.in-addr.arpa., consider the line:
4 IN PTR lion.example.org ; WRONG!
The dot at the end was omitted, so the current origin is appended automatically. To correct this, add the trailing dot:
4 IN PTR lion.example.org. ; RIGHT!
When specifying a hostname like
bird.example.org or
4.240.123.224.in-addr.arpa to
dig, a trailing dot may be added.
The host program reports resolver information in
a simple format.
When a hostname is specified as a parameter, the corresponding
A record will be shown.
host bird.example.org
will result in output like
bird.example.org A 224.123.240.4
The host program is especially useful
when a hostname is wanted and an IP address is given.
For example:
host 224.123.240.4
from our example hosts shows output like:
Name: bird.example.org
Address: 224.123.240.4
The following command is also possible:
host 4.240.123.224.in-addr.arpa
resolves the PTR record:
4.240.123.224.in-addr.arpa PTR bird.example.org
As is the case with dig, when specifying a
hostname like bird.example.org or
4.240.123.224.in-addr.arpa to
host, a trailing dot may be added.
The nslookup program is yet another way to resolve names. However, its setup is quite different. It's a tool that can be used interactively and more request types can be handled than with dig or host.
For instance, start the interactive mode by entering nslookup and typing:
ls -d example.org.
In result, the output will be shown in a zonefile-like format (beginning shown):
[lion.example.org]
$ORIGIN example.org.
@ 1D IN SOA lion postmaster.lion (
2001110800 ; serial
8H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
1D IN NS lion
1D IN MX 0 lion
The first line, in square brackets, contains the name of the name server that sent the answer.
The example shown requires a zone transfer from the connected name server. If this name server refuses zone transfers (as will be discussed below), you will of course not see this output.
A lot of commands can be given to nslookup in
interactive mode: the help command will present a
list.