Penguin
Annotated edit history of NamedNotes version 24, including all changes. View license author blame.
Rev Author # Line
22 AristotlePagaltzis 1 See Also: named(8), named.conf(5), [DNSHowto], ZoneFile, [DNSBestPractices]
20 AristotlePagaltzis 2 ----
23 PerryLorier 3 If you have any problems with your zone files, you probably forgot a "."
20 AristotlePagaltzis 4
5 ----
23 PerryLorier 6 You can generate huge sections of your zone file (for dhcp entries for instance) by using $GENERATE, for example:
20 AristotlePagaltzis 7
23 PerryLorier 8 $GENERATE 150-250 $.0.168.192.in-addr.arpa. PTR dhcp-$.example.com.
20 AristotlePagaltzis 9
10 ----
23 PerryLorier 11 MX's and NS records can't point to CNAMEs or directly to raw IP addresses, point them to something with an A or AAAA (or A6) record.
20 AristotlePagaltzis 12
13 ----
14 You can have more than one record type for a domain/host, so long as none of them as CNAMEs. ie: you can have two A's, or an A and a TXT, but ''never'' an A and a CNAME, or an TXT and a CNAME, or even two CNAMES.
15
16 The same applies to DNAME's (you can't have a DNAME and any other record type, including another DNAME or CNAME).
17
18 ----
19 You can define seperate TTL's (in seconds) for records e.g.:
20 shortttl 3600 IN A 127.0.0.1
21
22 This will give shortttl.domain.co.nz a TTL of an hour
23
24 ----
23 PerryLorier 25 Try and have names for services (such as "proxy", "www", "smtp" etc) as this means when you move a service onto a different machine you can change the DNS once and everything will be updated. See [DNSBestPractices] for examples.
20 AristotlePagaltzis 26
27 ----
23 PerryLorier 28 Try and use one name for a NS record for all zones that reside on that machine. for example in "foo.example.com" use "ns1.example.com" and in "example2.com" use "ns1.example.com", this means that when "ns1.example.com" changes it's IP, you will only have to update it once for each registrar, not once per registrar per zone. This also means that DNS caches don't fill up with needless entries. Try to make sure that this name server has glue to avoid unnecessary lookups.
29
20 AristotlePagaltzis 30 ----
23 PerryLorier 31 An example zone file:
24 JohnMcPherson 32 <verbatim>
23 PerryLorier 33 $TTL 3600
34 @ IN SOA example.com. soa.example.com. (
35 2005071300 ; serial (in YYYY-mm-dd revision format)
20 AristotlePagaltzis 36 10800 ; refresh (10800 seconds = 3 hours)
37 3600 ; retry (3600 seconds = 1 hour)
23 PerryLorier 38 3628800 ; expire ( 6 weeks)
20 AristotlePagaltzis 39 86400 ) ; negative cache time-to-live
23 PerryLorier 40 @ 604800 IN NS ns1.example.com.
41 @ 604800 IN NS ns2.example.com.
42 @ IN MX 10 smtp.example.com.
43 @ IN MX 20 smtp.example.org.
44 ns1 604800 IN A 192.0.2.1
45 ns2 604800 IN A 10.0.0.1
46 smtp IN A 192.0.2.1
47 box1 IN A 192.0.2.2
48 proxy IN CNAME box1
49 pop3 IN CNAME box1
50 www IN CNAME box1
51 news IN CNAME box1
24 JohnMcPherson 52 </verbatim>
20 AristotlePagaltzis 53
54 See ZoneFile for a more verbose description.
55 ----
56 Useful config tweaks (possibly [Debian]-specific).
57
58 (found at http://www.cryptio.net/~ferlatte/config/)
59
60 1) Run bind as non-root. Create a bind user with home directory of /var/cache/bind, chmod -R bind.bind /var/cache/bind, and add OPTIONS="-u bind -g bind" to /etc/default/bind. This will have the side-affect of preventing named from listening on interfaces that get created after it starts.
61
62 2) Add "category statistics { null; };" into the logging section of /etc/bind/named.conf to prevent stats going into syslog.
63 ----
64 Root zone
65 Debian woody (bind ver 8) -
66 etc/bind/named.conf:
24 JohnMcPherson 67 <verbatim>
20 AristotlePagaltzis 68 zone "." {
69 type hint;
70 file "/etc/bind/db.root";
71 };
24 JohnMcPherson 72 </verbatim>
20 AristotlePagaltzis 73 Red Hat 8 (bind ver 9) -
24 JohnMcPherson 74 <verbatim>
20 AristotlePagaltzis 75 zone "." {
76 type hint;
77 file "named.ca";
78 };
24 JohnMcPherson 79 </verbatim>
20 AristotlePagaltzis 80 (this file should live in /var/named/)
81 ----
82 ISC has recently released a patch that fixes problems with the Verisign wildcard on the .com and .net root zones. The patch only allows delegations from the root zones and will ignore any A records that are returned directly from the root zone. This seems to be quite a tidy solution to the problem.
83
84 You can find more details about the patch at the URL below.
85 http://www.isc.org/products/BIND/delegation-only.html
86 ----
24 JohnMcPherson 87 I've written a [script|http://www.wlug.org.nz/archive/validate_zones] to check for obvious mistakes in zone files (forgotten a "." or forgotten to update the serial).
20 AristotlePagaltzis 88 ----
89
90 In named.conf in Debian woody there is this comment:
24 JohnMcPherson 91 </verbatim>
20 AristotlePagaltzis 92 options {
93 directory "/var/cache/bind";
94
95 // If there is a firewall between you and nameservers you want
96 // to talk to, you might need to uncomment the query-source
97 // directive below. Previous versions of BIND always asked
98 // questions using port 53, but BIND 8.1 and later use an unprivileged
99 // port by default.
100
101 //query-source address * port 53;
102 ...
103 }
24 JohnMcPherson 104 </verbatim>
20 AristotlePagaltzis 105 I found that when using the standard ipmasq scripts ( in /usr/share/doc/ipmasq/examples/stronger ) to create a firewall then, despite what the comment says that uncommenting that line caused dns lookups to stop working, ie the firewall blocked them from going out.
106 ----
107 If you run nscd (if you don't know, you probably are...) and running named on the same machine then you should disable nscd's use of DNS, edit /etc/nscd.conf and put:
108 enable-service hosts off
109 If the link to your DNS server is slow enough (or unreliable enough) that you do want some caching, turning the times down on nscd's caching helps solve a lot of weird issues
110 positive-time-to-live hosts 60
111 negative-time-to-live hosts 10
112 causes it to cache successful responses for 60s and failed responses for 10 seconds. This means that when you look something up it will be cached for a short time and then immediately flushed from the cache rather than nscd's habit of caching bad data.
113
114 nscd also believes that hosts are a symmetric relationship. Thus if "4.3.2.1.in-addr.arpa." resolves to "localhost" then localhost must resolve to "1.2.3.4". Imagine not only the fun you have trying to diagnose these issues, but the potential for evildoers to screw with your security.
21 MikeBeattie 115
116 ----
117 CategoryDns