13.3 About DNS Configuration Files

13.3.1 /etc/named.conf
13.3.2 About Resource Records in Zone Files
13.3.3 About Resource Records for Reverse-name Resolution

Domains are grouped into zones and zones are configured through the use of zone files. Zone files store information about domains in the DNS database. Each zone file contains directives and resource records. Optional directives apply settings to a zone or instruct a name server to perform certain tasks. Resource records specify zone parameters and define information about the systems (hosts) in a zone.

For examples of BIND configuration files, see /usr/share/doc/bind-version/sample/ .

13.3.1 /etc/named.conf

The main configuration file for named is /etc/named.conf, which contains settings for named and the top-level definitions for zones, for example:

include "/etc/rndc.key";

controls {
    inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }
};

zone "us.mydom.com" {
  type master;
  file "data/master-data";
  allow-update { key "rndc-key"; };
  notify yes;
};

zone "mydom.com" in{
	type slave;
	file "sec/sec.slave-data";
    allow-update { key "rndc-key"; };
	masters {10.1.32.1;};
};

zone "2.168.192.in-addr.arpa" IN {
    type master;
    file "data/reverse-192.168.2";
    allow-update { key “rndc-key”; };
    notify yes;
};

The include statement allows external files to be referenced so that potentially sensitive data such as key hashes can be placed in a separate file with restricted permissions.

The controls statement defines access information and the security requirements that are necessary to use the rndc command with the named server:

inet

Specifies which hosts can run rndc to control named. In this example, rndc must be run on the local host (127.0.0.1).

keys

Specifies the names of the keys that can be used. The example specifies using the key named rndc-key, which is defined in /etc/rndc.key. Keys authenticate various actions by named and are the primary method of controlling remote access and administration.

The zone statements define the role of the server in different zones.

The following zone options are used:

type

Specifies that this system is the master name server for the zone us.mydom.com and a slave server for mydom.com. 2.168.192.in-addr.arpa is a reverse zone for resolving IP addresses to host names. See Section 13.3.3, “About Resource Records for Reverse-name Resolution ”.

file

Specifies the path to the zone file relative to /var/named. The zone file for us.mydom.com is stored in /var/named/data/master-data and the transferred zone data for mydom.com is cached in /var/named/data/slave-data.

allow-update

Specifies that a shared key must exist on both the master and a slave name server for a zone transfer to take place from the master to the slave. The following is an example record for a key in /etc/rndc.key:

key "rndc-key" {
        algorithm hmac-md5;
        secret "XQX8NmM41+RfbbSdcqOejg==";
};

You can use the rndc-confgen -a command to generate a key file.

notify

Specifies whether to notify the slave name servers when the zone information is updated.

masters

Specifies the master name server for a slave name server.

The next example is taken from the default /etc/named.conf file that is installed with the bind package, and which configures a caching-only name server.

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query { localnets; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

The options statement defines global server configuration options and sets defaults for other statements.

listen-on

The port on which named listens for queries.

directory

Specifies the default directory for zone files if a relative pathname is specified.

dump-file

Specifies where named dumps its cache if it crashes.

statistics-file

Specifies the output file for the rndc stats command.

memstatistics-file

Specifies the output file for named memory-usage statistics.

allow-query

Specifies which IP addresses may query the server. localnets specifies all locally attached networks.

recursion

Specifies whether the name server performs recursive queries.

dnssec-enable

Specifies whether to use secure DNS (DNSSEC).

dnssec-validation

Whether the name server should validate replies from DNSSEC-enabled zones.

dnssec-lookaside

Whether to enable DNSSEC Lookaside Validation (DLV) using the key in /etc/named.iscdlv.key defined by bindkeys-file.

The logging section enables logging of messages to /var/named/data/named.run. The severity parameter controls the logging level, and the dynamic value means that this level can be controlled by using the rndc trace command.

The zone section specifies the initial set of root servers using a hint zone. This zone specifies that named should consult /var/named/named.ca for the IP addresses of authoritative servers for the root domain (.).

For more information, see the named.conf(5) manual page and the BIND documentation in /usr/share/doc/bind-version/arm.

13.3.2 About Resource Records in Zone Files

A resource record in a zone file contains the following fields, some of which are optional depending on the record type:

Name

Domain name or IP address.

TTL (time to live)

The maximum time that a name server caches a record before it checks whether a newer one is available.

Class

Always IN for Internet.

Type

Type of record, for example:

A (address)

IPv4 address corresponding to a host.

AAAA (address)

IPv6 address corresponding to a host.

CNAME (canonical name)

Alias name corresponding to a host name.

MX (mail exchange)

Destination for email addressed to the domain.

NS (name server)

Fully qualified domain name of an authoritative name server for a domain.

PTR (pointer)

Host name corresponding to an IP address for address to name lookups (reverse-name resolution).

SOA (start of authority)

Authoritative information about a zone, such as the master name server, the email address of the domain's administrator, and the domain's serial number. All records following a SOA record relate to the zone that it defines up to the next SOA record.

Data

The information that the record stores, such as an IP address in an A record, or a host name in a CNAME or PTR record.

The following example shows the contents of a typical zone file such as /var/named/data/master-data:

$TTL 86400            ; 1 day
@ IN SOA dns.us.mydom.com. root.us.mydom.com. (
                    57 ; serial
                    28800 ; refresh (8 hours)
                    7200 ; retry (2 hours)
                    2419200 ; expire (4 weeks)
                    86400 ; minimum (1 day)
                    )
              IN  NS      dns.us.mydom.com.

dns           IN  A       192.168.2.1
us.mydom.com  IN  A       192.168.2.1
svr01         IN  A       192.168.2.2
www           IN  CNAME   svr01
host01        IN  A       192.168.2.101
host02        IN  A       192.168.2.102
host03        IN  A       192.168.2.103
...

A comment on a line is preceded by a semicolon (;).

The $TTL directive defines the default time-to-live value for all resource records in the zone. Each resource record can define its own time-to-live value, which overrides the global setting.

The SOA record is mandatory and included the following information:

us.mydom.com

The name of the domain.

dns.us.mydom.com.

The fully qualified domain name of the name server, including a trailing period (.) for the root domain.

root.us.mydom.com.

The email address of the domain administrator.

serial

A counter that, if incremented, tells named to reload the zone file.

refresh

The time after which a master name server notifies slave name servers that they should refresh their database.

retry

If a refresh fails, the time that a slave name server should wait before attempting another refresh.

expire

The maximum elapsed time that a slave name server has to complete a refresh before its zone records are no longer considered authoritative and it will stop answering queries.

minimum

The minimum time for which other servers should cache information obtained from this zone.

An NS record declares an authoritative name server for the domain.

Each A record specifies the IP address that corresponds to a host name in the domain.

The CNAME record creates the alias www for svr01.

For more information, see the BIND documentation in /usr/share/doc/bind-version/arm.

13.3.3 About Resource Records for Reverse-name Resolution

Forward resolution returns an IP address for a specified domain name. Reverse-name resolution returns a domain name for a specified IP address. DNS implements reverse-name resolution by using the special in-addr.arpa and ip6.arpa domains for IPv4 and IPv6.

The characteristics for a zone's in-addr.arpa or ip6.arpa domains are usually defined in /etc/named.conf, for example:

zone "2.168.192.in-addr.arpa" IN {
    type master;
    file "data/reverse-192.168.2";
    allow-update { key “rndc-key”; };
    notify yes;
};

The zone's name consists of in-addr.arpa preceded by the network portion of the IP address for the domain with its dotted quads written in reverse order.

If your network does not have a prefix length that is a multiple of 8, see RFC 2317 for the format that you should use instead.

The PTR records in in-addr.arpa or ip6.arpa domains define host names that correspond to the host portion of the IP address. The following example is take from the /var/named/data/reverse-192.168.2 zone file:

$TTL 86400            ;
@ IN SOA dns.us.mydom.com. root.us.mydom.com. (
                    57 ;
                    28800 ;
                    7200 ;
                    2419200 ;
                    86400 ;
                    )
              IN  NS      dns.us.mydom.com.

1             IN  PTR     dns
1             IN  PTR     us.mydom.com
2             IN  PTR     svr01
101           IN  PTR     host01
102           IN  PTR     host02
103           IN  PTR     host03
...

For more information, see the BIND documentation in /usr/share/doc/bind-version/arm.