System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

The `named.conf` File

BIND 8.1 added a new configuration file, /etc/named.conf, that replaces the /etc/named.boot file. The /etc/named.conf file establishes the server as a master, slave, or cache-only name server. It also specifies the zones over which the server has authority and which data files it should read to get its initial data.

The /etc/named.conf file contains statements that implement:

Security through an access control list (ACL) that defines a collection of IP addresses that an NIS+ host can read and write
Logging specifications
Selectively applied options for a set of zones, rather than to all zones

The configuration file is read by in.named when the daemon is started by the server's startup script, /etc/init.d/inetsvc. The configuration file directs in.named to other servers or to local data files for a specified domain.

The named.conf file contains statements and comments. Statements end with a semicolon. Some statements can contain a block of statements. Again, each statement in the block is terminated with a semicolon.

Table 3–2 named.conf Statements


`acl`	Defines a named IP address match list used for access control. The address match list designates one or more IP addresses (dotted-decimal notation) or IP prefixes (dotted-decimal notation followed with a slash and the number of bits in the netmask). The named IP address match list must be defined by an `acl` statement before it can be used elsewhere. No forward references are allowed.
`include`	Inserts an include file at the point where the `include` statement is encountered. Use `include` to break up the configuration into more easily managed chunks.
`key`	Specifies a key ID used for authentication and authorization on a particular name server. See the `server` statement.
`logging`	Specifies what information the server logs and the destination of log messages.
`options`	Controls global server configuration options and sets default values for other statements.
`server`	Sets designated configuration options associated with a remote name server. Selectively applies options on a per-server basis, rather than to all servers.
`zone`	Defines a zone. Selectively applies options on a per-zone basis, rather than to all zones.

Example 3–1 Example Master Configuration File for a Master Server

options {
         directory "/var/named";
         datasize 2098;
         forward only;
         forwarders {
                  99.11.33.44;
         };
         recursion no;
         transfers-in 10;
         transfers-per-ns 2;
         allow-transfer {
                  127.0.1.1/24;
         };
};
 
logging {
         category queries { default_syslog; };
};
 
include "/var/named/abcZones.conf"
 
 
// here are the names of the master files
zone "cities.zn" {
         type master;
         file "db.cities.zn";
};
 
zone "0.0.127.in-addr.arpa" {
         type master;
         file "db.127.cities.zn";
};
 
zone "168.192.in-addr.arpa" {
         type master;
         file "db.cities.zn.rev";
};
 
zone "sales.doc.com" {
         type slave;
         file "slave/db.sales.doc";
         masters {
                  192.168.1.151;
         };
};
 
 
zone "168.192.in-addr.arpa" {
	         type slave;
         file "slave/db.sales.doc.rev";
         masters {
                  192.168.1.151;
         };
};

DNS Hierarchy in a Local Domain

If your company is large enough, it might support a number of domains, organized into a local namespace. The following figure shows a domain hierarchy that might be in place in a single company. The top-level, or “root” domain for the organization is ajax.com, which has three subdomains, sales.ajax.com, test.ajax.com, and manf.ajax.com.

Figure 3–3 Hierarchy of DNS Domains in a Single Organization

Illustration shows hierarchy of DNS domains in the Ajax.com domain, with Sales, Test and Manf being subdomains.

DNS clients request service only from the servers that support their domain. If the domain's server does not have the information the client needs, it forwards the request to its parent server, which is the server in the next higher domain in the hierarchy. If the request reaches the top-level server, the top-level server determines whether the domain is valid. If it is not valid, the server returns a “not found” type message to the client. If the domain is valid, the server routes the request down to the server that supports that domain.

DNS Hierarchy and the Internet

The domain hierarchy shown in the following figure is a “leaf” of the huge DNS namespace supported on the global Internet.

It consists of the root directory, represented as a dot (.), and two top level domain hierarchies, one organizational and one geographical. Note that the com domain introduced in this figure is one of a number of top-level organizational domains in existence on the Internet.

Figure 3–4 Hierarchy of Internet Domains

Diagram shows organizational and geographical top level domain structures for the Internet.

At the present time, the organizational hierarchy divides its namespace into the top-level domains listed shown in the following table. It is probable that additional top-level organizational domains will be added in the future.

Table 3–3 Internet Organizational Domains


Domain	Purpose
`com`	Commercial organizations
`edu`	Educational institutions
`gov`	Government institutions
`mil`	Military groups
`net`	Major network support centers
`org`	Nonprofit organizations and others
`int`	International organizations

The geographic hierarchy assigns each country in the world a two or three-letter identifier and provides official names for the geographic regions within each country. For example, domains in Britain are subdomains of the uk top-level domain, Japanese domains are subdomains of jp, and so on.

Joining the Internet

The Internet root domain, top-level domains (organizational and geographical) are maintained by the various Internet governing bodies. People with networks of any size can “join” the Internet by registering their domain name in either the organizational or the geographical hierarchy.

Every DNS domain must have a domain name. If your site wants to use DNS for naming service without connecting to the Internet, you can use any name your organization wants for its your domains and subdomains, if applicable. However, if your site plans wants to join the Internet, it must register its domain name with the Internet governing bodies.

To join the Internet, do the following.

Register your DNS domain name with the an appropriate Internet governing body.
Obtain a network IP address from that governing body.

There are two ways to accomplish this.

You can communicate directly with the appropriate Internet governing body or their agent.

You can contract with an Internet Service Provider (ISP) to assist you. ISPs provide a wide range of services from consulting to actually hosting your Internet presence.

Domain Names

Domain names indicate a domain's position in the overall DNS namespace, much as path names indicate a file's position in the UNIX file system. After your local domain is registered, its name is added to the name of the Internet hierarchy to which it belongs. For example, the ajax domain shown in Figure 3–5 has been registered as part of the Internet com hierarchy. Therefore, its Internet domain name becomes ajax.com.

The following figure shows the position of the ajax.com domain in the DNS namespace on the Internet.

Figure 3–5 Ajax Domain's Position in the DNS Namespace

Diagram shows Ajax as a subdomain of .com in the worldwide DNS namespace.

The ajax.com subdomains now have the following names.

sales.ajax.com
test.ajax.com
 manf.ajax.com

DNS does not require domain names to be capitalized, though they can be. Here are some examples of machines and domain names.

boss.manf.ajax.com
quota.sales.ajax.com

The Internet organization regulates administration of its domains by granting each domain authority over the names of its hosts and by expecting each domain to delegate authority to the levels below it. Thus, the com domain has authority over the names of the hosts in its domain. It also authorizes the formation of the ajax.com domain and delegates authority over the names in that domain. The ajax.com domain, in turn, assigns names to the hosts in its domain and approves the formation of the sales.ajax.com, test.ajax.com, and manf.ajax.com domains.

Fully Qualified Domain Names (FQDNs)

A domain name is said to be fully-qualified when it includes the names of every DNS domain from the local domain on up to “.”, the DNS root domain. Conceptually, the fully qualified domain name indicates the path to the root, as does the absolute path name of a UNIX file. However, fully qualified domain names are read from lowest, on the left, to highest, on the right. Therefore, a fully-qualified domain name has the following syntax.

The fully qualified domain names for the ajax domain and its subdomains are:

ajax.com. 
sales.ajax.com. 
test.ajax.com. 
manf.ajax.com.

Note the dot at the furthest right position of each name.

The named.conf File