Commit af40ebed authored by Tinderbox User's avatar Tinderbox User
Browse files

regen master

parent b2171b16
......@@ -44,17 +44,17 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.3">Scope of Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.4">Organization of This Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.5">Conventions Used in This Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.6">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#doc_scope">Scope of Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#organization">Organization of This Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#conventions">Conventions Used in This Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_overview">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.6.3">DNS Fundamentals</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.6.4">Domains and Domain Names</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.6.5">Zones</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.6.6">Authoritative Name Servers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.6.7">Caching Name Servers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.6.8">Name Servers in Multiple Roles</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_fundamentals">DNS Fundamentals</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#domain_names">Domains and Domain Names</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#zones">Zones</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#auth_servers">Authoritative Name Servers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#cache_servers">Caching Name Servers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#multi_role">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl>
</div>
......@@ -70,7 +70,7 @@
</p>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2.3"></a>Scope of Document</h2></div></div></div>
<a name="doc_scope"></a>Scope of Document</h2></div></div></div>
<p>
The Berkeley Internet Name Domain
(<acronym class="acronym">BIND</acronym>) implements a
......@@ -84,7 +84,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2.4"></a>Organization of This Document</h2></div></div></div>
<a name="organization"></a>Organization of This Document</h2></div></div></div>
<p>
In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
......@@ -113,7 +113,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2.5"></a>Conventions Used in This Document</h2></div></div></div>
<a name="conventions"></a>Conventions Used in This Document</h2></div></div></div>
<p>
In this document, we use the following general typographic
conventions:
......@@ -240,7 +240,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2.6"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<a name="dns_overview"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<p>
The purpose of this document is to explain the installation
and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
......@@ -250,7 +250,7 @@
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.2.6.3"></a>DNS Fundamentals</h3></div></div></div>
<a name="dns_fundamentals"></a>DNS Fundamentals</h3></div></div></div>
<p>
The Domain Name System (DNS) is a hierarchical, distributed
database. It stores information for mapping Internet host names to
......@@ -272,7 +272,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.2.6.4"></a>Domains and Domain Names</h3></div></div></div>
<a name="domain_names"></a>Domains and Domain Names</h3></div></div></div>
<p>
The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
organizational or administrative boundaries. Each node of the tree,
......@@ -318,7 +318,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.2.6.5"></a>Zones</h3></div></div></div>
<a name="zones"></a>Zones</h3></div></div></div>
<p>
To properly operate a name server, it is important to understand
the difference between a <span class="emphasis"><em>zone</em></span>
......@@ -371,7 +371,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.2.6.6"></a>Authoritative Name Servers</h3></div></div></div>
<a name="auth_servers"></a>Authoritative Name Servers</h3></div></div></div>
<p>
Each zone is served by at least
one <span class="emphasis"><em>authoritative name server</em></span>,
......@@ -388,7 +388,7 @@
</p>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id-1.2.6.6.4"></a>The Primary Master</h4></div></div></div>
<a name="primary_master"></a>The Primary Master</h4></div></div></div>
<p>
The authoritative server where the master copy of the zone
data is maintained is called the
......@@ -408,7 +408,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id-1.2.6.6.5"></a>Slave Servers</h4></div></div></div>
<a name="slave_server"></a>Slave Servers</h4></div></div></div>
<p>
The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
......@@ -424,7 +424,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id-1.2.6.6.6"></a>Stealth Servers</h4></div></div></div>
<a name="stealth_server"></a>Stealth Servers</h4></div></div></div>
<p>
Usually all of the zone's authoritative servers are listed in
NS records in the parent zone. These NS records constitute
......@@ -459,7 +459,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.2.6.7"></a>Caching Name Servers</h3></div></div></div>
<a name="cache_servers"></a>Caching Name Servers</h3></div></div></div>
<p>
The resolver libraries provided by most operating systems are
<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
......@@ -486,7 +486,7 @@
</p>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id-1.2.6.7.5"></a>Forwarding</h4></div></div></div>
<a name="forwarder"></a>Forwarding</h4></div></div></div>
<p>
Even a caching name server does not necessarily perform
the complete recursive lookup itself. Instead, it can
......@@ -513,7 +513,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.2.6.8"></a>Name Servers in Multiple Roles</h3></div></div></div>
<a name="multi_role"></a>Name Servers in Multiple Roles</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> name server can
simultaneously act as
......
......@@ -44,16 +44,16 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.2">Hardware requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.3">CPU Requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.4">Memory Requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.5">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.6">Supported Operating Systems</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#hw_req">Hardware requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#cpu_req">CPU Requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#mem_req">Memory Requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#supported_os">Supported Operating Systems</a></span></dt>
</dl>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.3.2"></a>Hardware requirements</h2></div></div></div>
<a name="hw_req"></a>Hardware requirements</h2></div></div></div>
<p>
<acronym class="acronym">DNS</acronym> hardware requirements have
traditionally been quite modest.
......@@ -72,7 +72,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.3.3"></a>CPU Requirements</h2></div></div></div>
<a name="cpu_req"></a>CPU Requirements</h2></div></div></div>
<p>
CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
i486-class machines
......@@ -83,7 +83,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.3.4"></a>Memory Requirements</h2></div></div></div>
<a name="mem_req"></a>Memory Requirements</h2></div></div></div>
<p>
The memory of the server has to be large enough to fit the
cache and zones loaded off disk. The <span class="command"><strong>max-cache-size</strong></span>
......@@ -106,7 +106,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.3.5"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<a name="intensive_env"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<p>
For name server intensive environments, there are two alternative
configurations that may be used. The first is where clients and
......@@ -123,7 +123,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.3.6"></a>Supported Operating Systems</h2></div></div></div>
<a name="supported_os"></a>Supported Operating Systems</h2></div></div></div>
<p>
ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
number
......
......@@ -46,14 +46,14 @@
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.3.2">A Caching-only Name Server</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.3.3">An Authoritative-only Name Server</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#cache_only_sample">A Caching-only Name Server</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#auth_only_sample">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.4">Load Balancing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.5">Name Server Operations</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#load_balancing">Load Balancing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#ns_operations">Name Server Operations</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.5.2">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.5.3">Signals</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#tools">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#signals">Signals</a></span></dt>
</dl></dd>
</dl>
</div>
......@@ -67,7 +67,7 @@
<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.4.3.2"></a>A Caching-only Name Server</h3></div></div></div>
<a name="cache_only_sample"></a>A Caching-only Name Server</h3></div></div></div>
<p>
The following sample configuration is appropriate for a caching-only
name server for use by clients internal to a corporation. All
......@@ -97,7 +97,7 @@ zone "0.0.127.in-addr.arpa" {
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.4.3.3"></a>An Authoritative-only Name Server</h3></div></div></div>
<a name="auth_only_sample"></a>An Authoritative-only Name Server</h3></div></div></div>
<p>
This sample configuration is for an authoritative-only server
that is the master server for "<code class="filename">example.com</code>"
......@@ -145,7 +145,7 @@ zone "eng.example.com" {
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.4.4"></a>Load Balancing</h2></div></div></div>
<a name="load_balancing"></a>Load Balancing</h2></div></div></div>
<p>
A primitive form of load balancing can be achieved in
the <acronym class="acronym">DNS</acronym> by using multiple records
......@@ -288,10 +288,10 @@ zone "eng.example.com" {
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.4.5"></a>Name Server Operations</h2></div></div></div>
<a name="ns_operations"></a>Name Server Operations</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.4.5.2"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<a name="tools"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<p>
This section describes several indispensable diagnostic,
administrative and monitoring tools available to the system
......@@ -604,7 +604,7 @@ controls {
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.4.5.3"></a>Signals</h3></div></div></div>
<a name="signals"></a>Signals</h3></div></div></div>
<p>
Certain UNIX signals cause the name server to take specific
actions, as described in the following table. These signals can
......
......@@ -48,8 +48,8 @@
<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.5">Split DNS</a></span></dt>
<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.5.5">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt>
<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
......@@ -59,13 +59,13 @@
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">TSIG Key Based Access Control</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.10">Errors</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.7">TKEY</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.8">SIG(0)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#tkey">TKEY</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.9.6">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.9.7">Signing the Zone</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.9.8">Configuring Servers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
......@@ -108,7 +108,7 @@
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.5">Configuring DynDB</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.6">Sample DynDB Module</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.7">Address to Name Lookups Using Nibble Format</a></span></dt>
......@@ -275,7 +275,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.5.5"></a>Split DNS</h2></div></div></div>
<a name="split_dns"></a>Split DNS</h2></div></div></div>
<p>
Setting up different views, or visibility, of the DNS space to
internal and external resolvers is usually referred to as a
......@@ -305,124 +305,124 @@
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.5.5"></a>Example split DNS setup</h3></div></div></div>
<p>
Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
(<code class="literal">example.com</code>)
has several corporate sites that have an internal network with
reserved
Internet Protocol (IP) space and an external demilitarized zone (DMZ),
or "outside" section of a network, that is available to the public.
</p>
<a name="split_dns_sample"></a>Example split DNS setup</h3></div></div></div>
<p>
Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
(<code class="literal">example.com</code>)
has several corporate sites that have an internal network with
reserved
Internet Protocol (IP) space and an external demilitarized zone (DMZ),
or "outside" section of a network, that is available to the public.
</p>
<p>
<span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
to be able to resolve external hostnames and to exchange mail with
people on the outside. The company also wants its internal resolvers
to have access to certain internal-only zones that are not available
at all outside of the internal network.
</p>
<span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
to be able to resolve external hostnames and to exchange mail with
people on the outside. The company also wants its internal resolvers
to have access to certain internal-only zones that are not available
at all outside of the internal network.
</p>
<p>
In order to accomplish this, the company will set up two sets
of name servers. One set will be on the inside network (in the
reserved
IP space) and the other set will be on bastion hosts, which are
"proxy"
hosts that can talk to both sides of its network, in the DMZ.
</p>
In order to accomplish this, the company will set up two sets
of name servers. One set will be on the inside network (in the
reserved
IP space) and the other set will be on bastion hosts, which are
"proxy"
hosts that can talk to both sides of its network, in the DMZ.
</p>
<p>
The internal servers will be configured to forward all queries,
except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
and <code class="filename">site2.example.com</code>, to the servers
in the
DMZ. These internal servers will have complete sets of information
for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
and <code class="filename">site2.internal</code>.
</p>
The internal servers will be configured to forward all queries,
except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
and <code class="filename">site2.example.com</code>, to the servers
in the
DMZ. These internal servers will have complete sets of information
for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
and <code class="filename">site2.internal</code>.
</p>
<p>
To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
the internal name servers must be configured to disallow all queries
to these domains from any external hosts, including the bastion
hosts.
</p>
To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
the internal name servers must be configured to disallow all queries
to these domains from any external hosts, including the bastion
hosts.
</p>
<p>
The external servers, which are on the bastion hosts, will
be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
This could include things such as the host records for public servers
(<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
</p>
The external servers, which are on the bastion hosts, will
be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
This could include things such as the host records for public servers
(<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
</p>
<p>
In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
should have special MX records that contain wildcard (`*') records
pointing to the bastion hosts. This is needed because external mail
servers do not have any other way of looking up how to deliver mail
to those internal hosts. With the wildcard records, the mail will
be delivered to the bastion host, which can then forward it on to
internal hosts.
</p>
In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
should have special MX records that contain wildcard (`*') records
pointing to the bastion hosts. This is needed because external mail
servers do not have any other way of looking up how to deliver mail
to those internal hosts. With the wildcard records, the mail will
be delivered to the bastion host, which can then forward it on to
internal hosts.
</p>
<p>
Here's an example of a wildcard MX record:
</p>
Here's an example of a wildcard MX record:
</p>
<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
<p>
Now that they accept mail on behalf of anything in the internal
network, the bastion hosts will need to know how to deliver mail
to internal hosts. In order for this to work properly, the resolvers
on
the bastion hosts will need to be configured to point to the internal
name servers for DNS resolution.
</p>
Now that they accept mail on behalf of anything in the internal
network, the bastion hosts will need to know how to deliver mail
to internal hosts. In order for this to work properly, the resolvers
on
the bastion hosts will need to be configured to point to the internal
name servers for DNS resolution.
</p>
<p>
Queries for internal hostnames will be answered by the internal
servers, and queries for external hostnames will be forwarded back
out to the DNS servers on the bastion hosts.
</p>
Queries for internal hostnames will be answered by the internal
servers, and queries for external hostnames will be forwarded back
out to the DNS servers on the bastion hosts.
</p>
<p>
In order for all this to work properly, internal clients will
need to be configured to query <span class="emphasis"><em>only</em></span> the internal
name servers for DNS queries. This could also be enforced via
selective
filtering on the network.
</p>
In order for all this to work properly, internal clients will
need to be configured to query <span class="emphasis"><em>only</em></span> the internal
name servers for DNS queries. This could also be enforced via
selective
filtering on the network.
</p>
<p>
If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
internal clients will now be able to:
</p>
If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
internal clients will now be able to:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
Look up any hostnames in the <code class="literal">site1</code>
and
<code class="literal">site2.example.com</code> zones.
</li>
Look up any hostnames in the <code class="literal">site1</code>
and
<code class="literal">site2.example.com</code> zones.
</li>
<li class="listitem">
Look up any hostnames in the <code class="literal">site1.internal</code> and
<code class="literal">site2.internal</code> domains.
</li>
Look up any hostnames in the <code class="literal">site1.internal</code> and
<code class="literal">site2.internal</code> domains.
</li>
<li class="listitem">Look up any hostnames on the Internet.</li>
<li class="listitem">Exchange mail with both internal and external people.</li>
</ul></div>
<p>
Hosts on the Internet will be able to:
</p>
Hosts on the Internet will be able to:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
Look up any hostnames in the <code class="literal">site1</code>
and
<code class="literal">site2.example.com</code> zones.
</li>
Look up any hostnames in the <code class="literal">site1</code>
and
<code class="literal">site2.example.com</code> zones.
</li>
<li class="listitem">
Exchange mail with anyone in the <code class="literal">site1</code> and
<code class="literal">site2.example.com</code> zones.
</li>
Exchange mail with anyone in the <code class="literal">site1</code> and
<code class="literal">site2.example.com</code> zones.
</li>
</ul></div>
<p>
Here is an example configuration for the setup we just
described above. Note that this is only configuration information;
for information on how to configure your zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.
</p>
Here is an example configuration for the setup we just
described above. Note that this is only configuration information;
for information on how to configure your zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.
</p>
<p>
Internal DNS server config:
</p>
Internal DNS server config:
</p>
<pre class="programlisting">
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
......@@ -485,8 +485,8 @@ zone "site2.internal" {
};
</pre>
<p>
External (bastion host) DNS server config:
</p>
External (bastion host) DNS server config:
</p>
<pre class="programlisting">
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
......@@ -522,9 +522,9 @@ zone "site2.example.com" {
};
</pre>
<p>
In the <code class="filename">resolv.conf</code> (or equivalent) on
the bastion host(s):
</p>
In the <code class="filename">resolv.conf</code> (or equivalent) on
the bastion host(s):
</p>
<pre class="programlisting">
search ...
nameserver 172.16.72.2
......@@ -729,7 +729,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.5.7"></a>TKEY</h2></div></div></div>
<a name="tkey"></a>TKEY</h2></div></div></div>
<p><span class="command"><strong>TKEY</strong></span>
is a mechanism for automatically generating a shared secret
between two hosts. There are several "modes" of
......@@ -765,7 +765,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.5.8"></a>SIG(0)</h2></div></div></div>
<a name="sig0"></a>SIG(0)</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
transaction signatures as specified in RFC 2535 and RFC 2931.
......@@ -826,7 +826,7 @@ allow-update { key host1-host2. ;};
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.9.6"></a>Generating Keys</h3></div></div></div>
<a name="dnssec_keys"></a>Generating Keys</h3></div></div></div>
<p>
The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
generate keys.
......@@ -882,7 +882,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.9.7"></a>Signing the Zone</h3></div></div></div>
<a name="dnssec_signing"></a>Signing the Zone</h3></div></div></div>
<p>
The <span class="command"><strong>dnssec-signzone</strong></span> program is used
to sign a zone.
......@@ -924,7 +924,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.9.8"></a>Configuring Servers</h3></div></div></div>
<a name="dnssec_config"></a>Configuring Servers</h3></div></div></div>
<p>
To enable <span class="command"><strong>named</strong></span> to respond appropriately
to DNS requests from DNSSEC aware clients,
......@@ -2294,7 +2294,7 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.5.15"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
<a name="ipv6"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 fully supports all currently
defined forms of IPv6 name to address and address to name
......
......@@ -44,13 +44,13 @@
<div class="toc">
<p><b>Table of Contents</b></p>