Differences between current version and revision by previous author of NamedNotes.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
| Newer page: | version 24 | Last edited on Wednesday, February 21, 2007 5:58:56 am | by JohnMcPherson | |
| Older page: | version 23 | Last edited on Wednesday, July 13, 2005 10:27:50 am | by PerryLorier | Revert |
@@ -28,8 +28,9 @@
Try and use one name for a NS record for all zones that reside on that machine. for example in "foo.example.com" use "ns1.example.com" and in "example2.com" use "ns1.example.com", this means that when "ns1.example.com" changes it's IP, you will only have to update it once for each registrar, not once per registrar per zone. This also means that DNS caches don't fill up with needless entries. Try to make sure that this name server has glue to avoid unnecessary lookups.
----
An example zone file:
+<verbatim>
$TTL 3600
@ IN SOA example.com. soa.example.com. (
2005071300 ; serial (in YYYY-mm-dd revision format)
10800 ; refresh (10800 seconds = 3 hours)
@@ -47,8 +48,9 @@
proxy IN CNAME box1
pop3 IN CNAME box1
www IN CNAME box1
news IN CNAME box1
+</verbatim>
See ZoneFile for a more verbose description.
----
Useful config tweaks (possibly [Debian]-specific).
@@ -61,30 +63,33 @@
----
Root zone
Debian woody (bind ver 8) -
etc/bind/named.conf:
+<verbatim>
zone "." {
type hint;
file "/etc/bind/db.root";
};
-
+</verbatim>
Red Hat 8 (bind ver 9) -
+<verbatim>
zone "." {
type hint;
file "named.ca";
};
+</verbatim>
(this file should live in /var/named/)
----
ISC has recently released a patch that fixes problems with the Verisign wildcard on the .com and .net root zones. The patch only allows delegations from the root zones and will ignore any A records that are returned directly from the root zone. This seems to be quite a tidy solution to the problem.
You can find more details about the patch at the URL below.
http://www.isc.org/products/BIND/delegation-only.html
----
-I've written a [script|WLUG
:/archive/validate_zones] to check for obvious mistakes in zone files (forgotten a "." or forgotten to update the serial).
+I've written a [script|http
://www.wlug.org.nz
/archive/validate_zones] to check for obvious mistakes in zone files (forgotten a "." or forgotten to update the serial).
----
In named.conf in Debian woody there is this comment:
-
+</verbatim>
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
@@ -95,9 +100,9 @@
//query-source address * port 53;
...
}
-
+</verbatim>
I found that when using the standard ipmasq scripts ( in /usr/share/doc/ipmasq/examples/stronger ) to create a firewall then, despite what the comment says that uncommenting that line caused dns lookups to stop working, ie the firewall blocked them from going out.
----
If you run nscd (if you don't know, you probably are...) and running named on the same machine then you should disable nscd's use of DNS, edit /etc/nscd.conf and put:
enable-service hosts off
