The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
The main configuration file for named
is
/etc/named.conf
, which contains settings for
named
and the top-level definitions for
zones, for example:
include "/etc/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; } }; zone "us.mydom.com" { type master; file "master-data"; allow-update { key "rndc-key"; }; notify yes; }; zone "mydom.com" IN { type slave; file "sec/slave-data"; allow-update { key "rndc-key"; }; masters {10.1.32.1;}; }; zone "2.168.192.in-addr.arpa" IN { type master; file "reverse-192.168.2"; allow-update { key “rndc-key”; }; notify yes; };
The include
statement allows external files
to be referenced so that potentially sensitive data such as key
hashes can be placed in a separate file with restricted
permissions.
The controls
statement defines access
information and the security requirements that are necessary to
use the rndc command with the
named
server:
-
inet
Specifies which hosts can run rndc to control named. In this example, rndc must be run on the local host (127.0.0.1).
-
keys
Specifies the names of the keys that can be used. The example specifies using the key named
rndc-key
, which is defined in/etc/rndc.key
. Keys authenticate various actions bynamed
and are the primary method of controlling remote access and administration.
The zone
statements define the role of the
server in different zones.
The following zone options are used:
-
type
Specifies that this system is the primary name server for the zone
us.mydom.com
and a backup server formydom.com
.2.168.192.in-addr.arpa
is a reverse zone for resolving IP addresses to host names. See Section 13.3.3, “About Resource Records for Reverse-name Resolution”.-
file
Specifies the path to the zone file relative to
/var/named
. The zone file forus.mydom.com
is stored in/var/named/master-data
and the transferred zone data formydom.com
is cached in/var/named/sec/slave-data
.-
allow-update
Specifies that a shared key must exist on both the primary and backup name servers for a zone transfer to take place from the primary server to the backup. The following is an example record for a key in
/etc/rndc.key
:key "rndc-key" { algorithm hmac-md5; secret "XQX8NmM41+RfbbSdcqOejg=="; };
You can use the rndc-confgen -a command to generate a key file.
-
notify
Specifies whether to notify the backup name servers when the zone information is updated.
-
masters
Specifies the primary name server for a backup name server.
The next example is taken from the default
/etc/named.conf
file that is installed with
the bind
package, and which configures a
caching-only name server.
options { listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localnets; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
The options
statement defines global server
configuration options and sets defaults for other statements.
-
listen-on
The port on which
named
listens for queries.-
directory
Specifies the default directory for zone files if a relative pathname is specified.
-
dump-file
Specifies where
named
dumps its cache if it crashes.-
statistics-file
Specifies the output file for the rndc stats command.
-
memstatistics-file
Specifies the output file for
named
memory-usage statistics.-
allow-query
Specifies which IP addresses may query the server.
localnets
specifies all locally attached networks.-
recursion
Specifies whether the name server performs recursive queries.
-
dnssec-enable
Specifies whether to use secure DNS (DNSSEC).
-
dnssec-validation
Whether the name server should validate replies from DNSSEC-enabled zones.
-
dnssec-lookaside
Whether to enable DNSSEC Lookaside Validation (DLV) using the key in
/etc/named.iscdlv.key
defined bybindkeys-file
.
The logging
section enables logging of
messages to /var/named/data/named.run
. The
severity
parameter controls the logging
level, and the dynamic
value means that this
level can be controlled by using the rndc
trace command.
The zone
section specifies the initial set of
root servers using a hint zone. This zone specifies that
named
should consult
/var/named/named.ca
for the IP addresses of
authoritative servers for the root domain
(.
).
For more information, see the named.conf(5)
manual page and the BIND documentation in
/usr/share/doc/bind-
.
version
/arm