NAME | SYNOPSIS | DESCRIPTION | OPTIONS | USAGE | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO | NOTES
in.named is the Internet domain name server. in.named spawns the named-xfer process whenever it needs to perform a zone transfer. See named-xfer(1M) .
The in.named name service is used by hosts on the Internet to provide access to the Internet distributed naming database. See RFC 1034 and RFC 1035 for more information on the Internet domain name system.
With no arguments, in.named reads the default configuration file /etc/named.conf for any initial data, and listens for queries. Any additional arguments beyond those shown in the SYNOPSIS section are interpreted as the names of boot files. If multiple boot files are specified, only the last is used.
The name server reads the boot file to obtain instructions on where to find its initial data.
In a Trusted Solaris system,
in.named
listens for input requests on a multilevel port (
MLP
) and sends responses to the
DNS
client
at the sensitivity label of the client's request. Thus, though
in.named
runs at the sensitivity label
ADMIN_LOW
, it can accept requests at any sensitivity label.
in.named
can also serve
DNS
clients and communicate
with other
DNS
name servers on either Trusted Solaris
hosts or non-trusted hosts.
The
DNS
name
server running on a Trusted Solaris machine is viewed as a supplier of public
information, and the name database that it maintains is considered trusted.
in.named
requires the trusted path attribute, and it requires
that the
/etc/named.boot
file, zone files, and other
configuration files that it uses be at the sensitivity label
ADMIN_LOW
. As part of the name database, these
files and their contents are also considered trusted; thus
in.named
can query any
DNS
name server specified in
the files. The
DNS
name servers specified in these files
may reside on either Trusted Solaris hosts or non-trusted hosts.
Use bootfile rather than /etc/named.conf . This options allows filenames to begin with a leading dash.
Use bootfile rather than /etc/named.conf . This options allows filenames to begin with a leading dash.
Print debugging information. level is a number indicating the level of messages printed.
Use different, port numbers. The default is the standard port number as returned by getservbyname(3SOCKET) for service domain. The -p argument can specify up to two port numbers. The specification of two port numbers requires a ` / ' (slash) separator. In this case, the first port is used when contacting remote servers, and the second one is the service port bound by the local instance of in.named . This option is used mostly for debugging purposes.
Trace all incoming queries. Note: this option is ignored in favor of the boot file directive, options query-log , when both options are used.
Turns recursion off in the server. Answers can come only from local (primary or secondary) zones. This option can be used on root servers. Note: This option will probably be eventually abandoned in favor of the boot file directive, options no-recursion .
Change the current working directory of in.named to dirname .
options { directory "/usr/local/adm/named"; pid-file "/var/named/named.pid"; named-xfer "/usr/sbin/named-xfer"; forwarders { 10.0.0.78; 10.2.0.78; }; transfers-in 10; forward only; fake-iquery yes; pollfd-chunk-size 20; }; logging { category lame-servers { null; }; category cname { null; }; }; zone "." in { type hint; file "root.cache"; }; zone "cc.berkeley.edu" in { type slave; file "128.32.137.3"; masters { 128.32.137.8; }; }; zone "6.32.128.in-addr.arpa" in { type slave; file "128.32.137.3"; masters { 128.32.137.8; }; }; zone "0.0.127.in-addr.arpa" in { type master; file "master/db.127"; }; zone "berkeley.edu" in { type master; file "berkeley.edu.zone"; }; zone "32.128.in-addr.arpa" in { type master; file "ucbhosts.rev"; };
/* This is a BIND comment as in C */ // This is a BIND comment as in C++ # This is a BIND comment as in common Unix shells and perl
WARNING: you cannot use the semicolon character ( ; ) to start a comment.
options { [ directory path_name; ] [ named-xfer path_name; ] [ pid-file path_name; ] [ auth-nxdomain yes_or_no; ] [ fake-iquery yes_or_no; ] [ fetch-glue yes_or_no; ] [ multiple-cnames yes_or_no; ] [ notify yes_or_no; ] [ recursion yes_or_no; ] [ forward ( only | first ); ] [ forwarders { [ in_addr ; [ in_addr ; ... ] ] }; ] [ check-names ( master | slave | response ) ( warn | fail | ignore); ] [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ listen-on [ port ip_port ] { address_match_list }; ] [ query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ] ; ] [ max-transfer-time-in number; ] [ transfer-format ( one-answer | many-answers ); ] [ transfers-in number; ] [ transfers-out number; ] [ transfers-per-ns number; ] [ coresize size_spec ; ] [ datasize size_spec ; ] [ files size_spec ; ] [ stacksize size_spec ; ] [ clean-interval number; ] [ interface-interval number; ] [ scan-interval number; ] [ topology { address_match_list }; ] };
The options section sets up global options to be used by BIND. This section may appear at only once in a configuration file; if more than one occurrence is found, the first occurrence determines the actual options used, and a warning will be generated. If there is no options section, an options block with each option set to its default will be used.
The working directory of the server. Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (for example, " named.run ") is this directory. If a directory is not specified, the working directory defaults to " . ", the directory from which the server was started. The directory specified should be an absolute path.
The pathname to the named-xfer program that the server uses for inbound zone transfers. If not specified, the default is operating system dependent, for example, " /usr/sbin/named-xfer ").
The pathname of the file the server writes its process ID in. If not specified, the default is operating system dependent, but is usually " /var/run/named.pid " or " /etc/named.pid ". The pid-file is used by programs like " ndc " that want to send signals to the running nameserver.
If yes , then the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is yes . Do not turn off auth-nxdomain unless you are sure you know what you are doing, as some older software will not like it.
If yes , the server will simulate the obsolete DNS query type IQUERY . The default is no .
If yes (the default), the server will fetch "glue" resource records it does not have when constructing the additional data section of a response. fetch-glue no can be used in conjunction with recursion no to prevent the server's cache from growing or becoming corrupted (at the cost of requiring more work from the client).
If yes, then multiple CNAME resource records will be allowed for a domain name. The default is no . Allowing multiple CNAME records is against standards and is not recommended. Multiple CNAME support is available because previous versions of BIND allowed multiple CNAME records, and these records have been used for load balancing by a number of sites.
If yes (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes. The use of NOTIFY speeds convergence between the master and its slaves. Slave servers that receive a NOTIFY message and understand it will contact the master server for the zone and see if they need to do a zone transfer, and if they do, they will initiate it immediately. The notify option may also be specified in the zone section, in which case it overrides the options notify statement.
If yes , and a DNS query requests recursion , then the server will attempt to do all the work required to answer the query. If recursion is not on, the server will return a referral to the client if it doesn't know the answer. The default is yes . See also fetch-glue above.
The forwarding facility can be used to create a large sitewide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative, and it does not have the answer in its cache.
This option is only meaningful if the forwarders list is not empty. A value of first, the default, causes the server to query the forwarders first, and if that doesn't answer the question, the server will then look for the answer itself. If only is specified, the server will only query the forwarders .
Specifies the IP addresses to be used for forwarding. The default is the empty list (no forwarding).
The server can check domain names based upon their expected client contexts. For example, a domain name used as a hostname can be checked for compliance with the valid hostnames defined in the RFC s. Three checking methods are available:
No checking is done.
Names are checked against their expected client contexts. Invalid names are logged, but processing continues normally.
Names are checked against their expected client contexts. Invalid names are logged, and the offending data is rejected.
check-names master fail;
check-names slave warn;
check-names response ignore;
Access to the server can be restricted based on the IP address of the requesting system. See address_match_list for details on how to specify IP address lists.
Specifies which hosts are allowed to ask ordinary questions. allow-query may also be specified in the zone section, in which case it overrides the options allow-query statement. If not specified, the default is to allow queries from all hosts.
Specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zonesection, in which case it overrides the options allow-transfer statement. If not specified, the default is to allow transfers from all hosts.
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes an optional port, and an address_match_list . The server will listen on all interfaces allowed by the address match list. If a port is not specified, port 53 will be used.
Multiple listen-on statements are allowed. For example,
listen-on { 5.6.7.8; }; listen-on port 1234 { !1.2.3.4; 1.2/16; };
If the server does not know the answer to a question, it will query other name servers. query-source specifies the address and port used for such queries. If address is * or is omitted, a wildcard IP address ( INADDR_ANY ) will be used. If port is * or is omitted, a random unprivileged port will be used. The default is:
query-source address * port *;
Inbound zone transfers ( named-xfer processes) running longer than this many minutes will be terminated. The default is 120 minutes.
The server supports two zone transfer methods. one-answer uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 8.1 and patched versions of BIND 4.9.5. The default is one-answer . transfer-format may be overridden on a per-server basis by using the server section.
The maximum number of inbound zone transfers that can be running concurrently. The default value is 10. Increasing transfers-in may speed up the convergence of slave zones, but it also may increase the load on the local system.
This option will be used in the future to limit the number of concurrent outbound zone transfers. It is checked for syntax, but is otherwise ignored.
The maximum number of inbound zone transfers ( named-xfer processes) that can be concurrently transferring from a given remote name server. The default value is 2. Increasing transfers-per-ns may speed up the convergence of slave zones, but it also may increase the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers statement in the server section.
The server's usage of many system resources can be limited. Some operating systems do not support some of the limits, and a warning will be generated if an unsupported limit is set in the configuration file.
Scaled values are allowed when specifying resource limits. For example, 1G can be used instead of 1073741824 to specify a limit of one gigabyte, unlimited requests unlimited use, or the maximum available amount. Default uses the limit that was in force when the server was started. See ulimit(1) for a discussion of ulimit -a (ksh only) for defaults.
The maximum size of a core dump. The default is system dependent.
The maximum amount of data memory the server may use. The default is system dependent.
The maximum number of files that the server may have open concurrently. The default is system dependent.
The maximum amount of stack memory the server may use. The default is system dependent.
All other things being equal, when the server chooses a name server to query from a list of name servers, it prefers the one that is topologically closest to itself. The topology statement takes an address_match_list and interprets it in a special way. Each top-level list element is assigned a distance. Non-negated elements get a distance based on their position in the list, where the closer the match is to the start of the list, the shorter the distance is between it and the server. A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance which is further than any non-negated list element, and closer than any negated element. For example,
topology { 10/8; !1.2.3/24; { 1.2/16; 3/8; }; };
topology { localhost; localnets; };
server ip_addr { [ bogus yes_or_no; ] [ transfers number; ] [ transfer-format ( one-answer | many-answers ); ] [ keys { key_id [key_id ... ] }; ] };
If you discover that a server is giving out bad data, marking it as bogus will prevent further queries to it. The default value is no .
The server supports two zone transfer methods. The first, one-answer , uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 8.1 and patched versions of BIND 4.9.5. You can specify which method to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format specified by the options statement will be used.
The transfers will be used in a future release of the server to limit the number of concurrent inbound zone transfers from the specified server. It is checked for syntax but is otherwise ignored.
The keys statement is intended for future use by the server. It is checked for syntax but is otherwise ignored.
zone domain_name [ ( in | hs | hesiod | chaos ) ] { type master; file path_name; [ check-names ( warn | fail | ignore ); ] [ allow-update { address_match_list }; ] [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ notify yes_or_no; ] [ also-notify { ip_addr; [ ip_addr; ... ] }; }; zone domain_name [ ( in | hs | hesiod | chaos ) ] { type ( slave | stub ); [ file path_name; ] masters { ip_addr; [ ip_addr; ... ] }; [ check-names ( warn | fail | ignore ); ] [ allow-update { address_match_list }; ] [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ max-transfer-time-in number; ] [ notify yes_or_no; ] [ also-notify { ip_addr; [ ip_addr; ... ] }; }; zone . [ ( in | hs | hesiod | chaos ) ] { type hint; file path_name; [ check-names ( warn | fail | ignore ); ] };
The master copy of the data in a zone .
A slave zone is a replica of a master zone . The masters list specifies one or more IP addresses that the slave contacts to update its copy of the zone . If file is specified, then the replica will be written to the file. Use of file is recommended, since it often speeds server startup and eliminates a needless waste of bandwidth.
A stub zone is like a slave zone , except that it replicates only the NS records of a master zone instead of the entire zone.
The initial set of root name servers is specified using a hint zone . When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name servers.
The zone's name may optionally be followed by a class . If a class is not specified, class in is used.
Zone options are described as follows:
See Name Checking .
See the description of allow-query in the Access Control section.
Specifies which hosts are allowed to submit dynamic DNS updates to the server. The default is to deny updates from all hosts.
See the description of allow-transfer in the Access Control section.
See the description of max-transfer-time-in in the Zone Transfers section.
See the description of notify in the Boolean Options section.
also-notify is only meaningful if notify is active for this zone.
logging { [ channel channel_name { ( file path_name [ versions ( number | unlimited ) ] [ size size_spec ] | syslog ( kern | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 ) | null ); [ severity ( critical | error | warning | notice | info | debug [ level ] | dynamic ); ] [ print-category yes_or_no; ] [ print-severity yes_or_no; ] [ print-time yes_or_no; ] }; ] [ category category_name { channel_name; [ channel_name; ... ] }; ] ... };
The logging statement configures a wide variety of logging options for the name server. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged.
Only one logging statement is used to define as many channels and categories as are wanted. If there are multiple logging statements in a configuration, the first defined determines the logging, and warnings are issued for the others. If there is no logging statement, the default logging configuration will be:
logging { category default { default_syslog; default_debug; }; category panic { default_syslog; default_stderr; }; category packet { default_debug; }; category eventlib { default_debug; }; };
All log output goes to one or more "channels"; you can make as many of them as you want.
Every channel definition must include a clause that says whether messages selected for the channel go to a file, to a particular syslog facility, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (default is " info "), and whether to include a named-generated time stamp, the category name and/or severity level (default is not to include any).
The word null as the destination option for the channel will cause all messages sent to it to be discarded; other options for the channel are meaningless.
The file clause can include limitations both on how large the file is allowed to become, and how many versions of the file will be saved each time the file is opened.
The size option for files is simply a hard ceiling on log growth. If the file ever exceeds the size, then named will just not write anything more to it until the file is reopened; exceeding the size does not automatically trigger a reopen. The default behavior is to not limit the size of the file.
If you use the version logfile option, then named will retain that many backup versions of the file by renaming them when opening. For example, if you choose to keep 3 old versions of the file "lamers.log" then just before it is opened lamers.log.1 is renamed to lames.log.2, lamers.log.0 is renamed to lamers.log.1, and lamers.log is renamed to lamers.log.0. No rolled versions are kept by default. The unlimited keyword is synonymous with 99 in current BIND releases.
The argument for the syslog() clause is a syslog() facility as described in the syslog(3C) manual page. How syslogd(1M) will handle messages sent to this facility is described in the syslog.conf(4) manual page. If you have a system which uses a very old version of syslog() that only uses two arguments to the openlog() function, then this clause is silently ignored.
The severity clause works like the "priorities" to syslog() , except that they can also be used if you are writing straight to a file rather than using syslog() . Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted.
If you are using syslog() , then the syslog.conf priorities will also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning by way of syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would print all messages it received from the channel.
The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug level is set either by starting the server with the -d option followed by a positive integer, or by sending the server the SIGUSR1 signal (for example, by using " ndc trace "). The global debug level can be set to zero, and debugging mode turned off, by sending the server the SIGUSR2 signal ("ndc notrace". All debugging messages in the server have a debug level, and higher debug levels give more more detailed output. Channels that specify a specific debug severity, for example:
channel specific_debug_level { file "foo"; severity debug 3; };
If print-time has been turned on, then the date and time will be logged. print-time may be specified for a syslog() channel, but is usually pointless since syslog() also prints the date and time. If print-category is requested, then the category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print-options may be used in any combination, and will always be printed in the following order: time, category, severity . Here is an example where all three print-options are on:
28-Apr-1997 15:05:32.863 default: notice: Ready to answer queries. |
There are four predefined channels that are used for default logging for in.named as follows. How they are used is described in the next section.
channel default_syslog { syslog daemon; # send to syslog's daemon facility severity info; # only send priority info and higher }; channel default_debug { file "named.run"; # write to named.run in the working directory severity dynamic; # log at the server's current debug level }; channel default_stderr { # writes to stderr file "<stderr>"; # this is illustrative only; # there's currently # no way of specifying an internal file # descriptor in the configuration language. severity info; # only send priority info and higher }; channel null { null; # toss anything sent to this channel };
Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default logging by pointing categories at channels you have defined.
There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you do not want. If you do not specify a list of channels for a category, then log messages in that category will be sent to the default category instead. If do not specify a default category, the following "default default" is used:
category default { default_syslog; default_debug; };
For example, if you want to log security events to a file, but you also want keep the default logging behavior, specify the following:
channel my_security_channel { file "my_security_file"; severity info; }; category security { my_security_channel; default_syslog; default_debug; };
To discard all messages in a category, specify the null channel:
category lame-servers { null; }; category cname { null; };
The following categories are available:
The catch-all. Many things still are not classified into categories, and they all end up here. Also, if you do not specify any channels for a category, the default category is used instead. If you do not define the default category, the following definition is used:
category default { default_syslog; default_debug; };
High-level configuration file processing.
Low-level configuration file processing.
A short log message is generated for every query the server receives.
Messages like "Lame server on ..."
Statistics.
If the server has to shut itself down due to an internal problem, it will log the problem in this category as well as in the problem's native category. If you do not define the panic category, the following definition is used:
category panic { default_syslog; default_stderr; };
Dynamic updates.
Negative caching.
Zone transfers the server is receiving.
Zone transfers the server is sending.
All database operations.
Debugging info from the event system. Only one channel may be specified for this category, and it must be a file channel. If you do not define the eventlib category, the following definition is used:
category eventlib { default_debug; };
Dumps of packets received and sent. Only one channel may be specified for this category, and it must be a file channel. If you do not define the packet category, the following definition is used:
category packet { default_debug; };
The NOTIFY protocol.
Messages like "... points to a CNAME".
Approved/unapproved requests.
Operating system problems.
Internal consistency check failures.
Periodic maintenance events.
Zone loading messages.
Messages arising from response checking, such as "Malformed response ...", "wrong ans. name ...", "unrelated additional info ...", "invalid RR type ...", and "bad referral ...".
key key_id { algorithm algorithm_id; secret secret_string; };
The key section defines a key ID which can be used in a server section to associate an authentication method with a particular name server.
A key ID must be created with the key statement before it can be used in a server definition.
The algorithm_id is a string that specifies a security/authentication algorithm. secret_string is the secret to be used by the algorithm.
The key statement is intended for future use by the server. It is checked for syntax but is otherwise ignored.
include path_name;
The include statement inserts the specified file at the point that the include statement is encountered. It cannot be used within another statement, though, so a line such as acl internal_hosts { "include internal_hosts.acl" } is not allowed. Use include to break the configuration up into easily-managed chunks. For example:
include "/etc/security/keys.bind"; include "/etc/acls.bind";
Be careful not to type " #include ", like you would in a C program, because " # " is used to start a comment.
acl name { address_match_list };
The acl statement creates a named address match list. It gets its name from a primary use of address match lists: Access Control Lists ( ACL s).
Note that an address match list's name must be defined with acl before it can be used elsewhere; no forward references are allowed.
The following ACL s are built-in:
Allows all hosts.
Denies all hosts.
Allows the IP addresses of all interfaces on the system.
Allows any host on a network for which the system has an interface.
The zone files are also known as the authoritative master files (data files) for a zone. In the boot file, references were made to these files as part of the specification of any primary directives.
Two classes of entries populate the zone files, directives and resource records. The start of the zone file is likely to contain one or two directives that establish a context that modifies the way subsequent records are interpreted.
Resource records for a zone determine how a zone is managed by establishing zone characteristics. For example, one type of zone record establishes the zone's mailbox information.
The very first record of each zone file should be a Start-of-Authority record ( SOA ) for a zone. A multiple-line SOA record is presented below. The meaning of the values in this sample will become clearer with the help of a list that describes the purpose of each field in the zone record (see the SOA list subitem under the rr-type list item in, Format of Resource Records in Zone Files).
@ IN SOA ucbvax.Berkeley.EDU. rwh.ucbvax.Berkeley.EDU. ( 1989020501 ;serial 10800 ;refresh 3600 ;retry 3600000 ;expire 86400 ) ;minimum
Resource records normally end at the end of a line, but may be continued across lines between opening and closing parentheses (as demonstrated by the preceding sample).
Comments are introduced by semicolons. They continue to the end of the line.
There are two control directives that help determine how the zone file is processed, $INCLUDE and $ORIGIN .
The $INCLUDE directive refers to still another file within which zone characteristics are described. Such files typically contain groups of resource records, but they may also contain further directives.
The $ORIGIN directive establishes a current origin that is appended to any domain values that do not end with a ` . ' (dot). The placeholder domain represents the first resource record field as shown in Format of Resource Records in Zone Files.The format for these directives is:
$INCLUDE filename opt-current-domain $ORIGIN current-domain
Specifies the value of the current origin that remains in effect for this configuration file unless a subsequent $ORIGIN directive overrides it for the remaining portion of the file.
Specifies a file, the contents of which are, in effect, incorporated into the configuration file at the location of the corresponding $INCLUDE directive.
Optionally defines a current origin that is applicable only to the records residing in the specified file in the corresponding $INCLUDE directive. This directive overrides the origin given in a preceding $ORIGIN directive, but only for the scope of the included text. See also current-domain .
domain opt-ttl opt-class rr-type rr-data...
Specifies the domain being described by the current line and any following lines that lack a value for this field. Beware of any domain values that you enter without full qualification, because the value of the current origin will be appended to them. The value of the current origin is appended when domain does not end with a dot.
A domain value specified as the symbol @ is replaced with the value of the current origin. The current-domain or any locally-overriding opt-current-domain value is used as its replacement. (For a discussion of these placeholders, see the earlier discussion of the $ORIGIN and $INCLUDE directives.)
A domain value specified as a ` . ' (dot) represents the root.
Specifies the number of seconds corresponding to the time-to-live value applicable to the zone characteristic that is defined in the remaining fields. This field is optional. It defaults to zero. Zero is interpreted as the minimum value specified in the SOA record for the zone.
Specifies the object address type; currently only one type is supported, IN , for objects connected to the Internet.
Specifies values that describe a zone charateristic. Permissible rr-type and other field values are listed below. The field values are listed in the order that they must appear.
Specifies the host address (in dotted-quad format). DCE or AFS server.
Specifies in a domain-name format the canonical name for the alias (domain).
Host information supplied in terms of a CPU type and an OS type.
Specifies in domain-name format a mail exchanger preceded by a preference value (between 0 and 32767), with lower numeric values representing higher logical preferences.
Specifies in domain-name format an authoritative name server.
Specifies a null zone record.
Specifies in domain-name format a domain name pointer.
Offers details about how to reach a responsible person for the domain name.
retry expire ttl
Establishes the start of a zone of authority in terms of the domain of the originating host (host-domain), the domain address of the maintainer (maintainer-addr), a serial number (serial-no), the refresh period in seconds (refresh), the retry period in seconds (retry), the expiration period in seconds (expire), and the minimum time-to-live period in seconds (ttl). See RFC 1035.
The serial number should be changed each time the master file is changed. Secondary servers check the serial number at intervals specified by the refresh time in seconds; if the serial number changes, a zone transfer will be done to load the new data.
If a master server cannot be contacted when a refresh is due, the retry time specifies the interval at which refreshes should be attempted. If a master server cannot be contacted within the interval given by the expire time, all data from the zone is discarded by secondary servers. The minimum value is the time-to-live used by records in the file with no explicit time-to-live value.
The serial number can be given as a dotted number. However, this is a very unwise thing to do, since the translation to normal integers is via concatenation rather than multiplication and addition. You could spell out the year, month, day of month, and 0..99 version number and still fit it inside the unsigned 32-bit size of this field. This strategy should work for the forseeable future (but is questionable after the year 4293).
For more detailed information, see RFC 883 .
See the description of rr-type .
Consult Name Server Operations Guide for BIND for further information about the supported types of resource records.
The in.named process returns the following exit values:
Successful completion.
An error occurred.
In the Trusted Solaris
environment, these files have a sensitivity label of
ADMIN_LOW
:
Name server configuration boot file.
The process ID (on older systems).
Debug output.
Nameserver statistics data.
Dump of the name servers database.
The process ID (on newer systems).
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWcsu |
in.named accepts requests at any sensitivity label and replies at the sensitivity label of the client's request. in.named can serve DNS clients and can communicate with other DNS servers that are on Trusted Solaris hosts or non-trusted hosts.
Files used by
in.named
should be protected from
unauthorized access by having the sensitivity label
ADMIN_LOW
.
Invoking
in.named
requires the trusted path attribute,
an effective
UID
of 0, a process sensitivity label of
ADMIN_LOW
, and the following privileges:
net_mac_read
,
net_privaddr
,
net_upgrade_sl
,
proc_setclr
,
sys_trans_label
,
sys_net_config
, and
sys_config
.
kill(1) , named-xfer(1M) , syslogd(1M) , signal(3C) , syslog(3C) , getservbyname(3SOCKET) , syslog.conf(4) , attributes(5)
Braden, R. (Editor), Requirements for Internet Hosts - Applications and Support, RFC 1123, Internet Engineering Task Force - Network Working Group, October 1989.
Mockapetris, Paul, Domain Names - Concepts and Facilities, RFC 1034, , Network Information Center, SRI International, Menlo Park, Calif., November 1987.
Mockapetris, Paul, Domain Names - Implementation and Specification, RFC 1035 , Network Information Center, SRI International, Menlo Park, Calif., November 1987.
Mockapetris, Paul, Domain System Changes and Observations, RFC 973 , Network Information Center, SRI International, Menlo Park, Calif., January 1986.
Partridge, Craig, Mail Routing and the Domain System, RFC 974 , Network Information Center, SRI International, Menlo Park, Calif., January 1986.
Vixie, Paul, Dunlap, Keven J., Karels, Michael J., Name Server Operations Guide for BIND (public domain), Internet Software Consortium, 1995.
The following signals have the specified effect when sent to the server process using the kill(1) command:
Causes the server to read /etc/named.conf and reload the database.
Also causes the server to check the serial number on all secondary zones. Normally the serial numbers are only checked at the intervals specified by the SOA record at the start of each zones-definition file.
Dumps the current database and cache to /var/tmp/nameddump.db .
Dumps statistical data into /var/tmp/named.stats . Statistical data are appended to the file.
Turns on debugging at the lowest level when received the first time; receipt of each additional SIGUSR1 signal causes the server to increment the debug level.
Turns off debugging completely.
Toggles logging of all incoming queries through the syslog system daemon. See syslogd(1M) .
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | USAGE | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO | NOTES