BIND9.x --- 2002 7 10 jus --- kohi@iri.co.jp
? 1995 1997 / (over 3000 zones!) 1998 2000 2000 GlobalCenter Japan( BroadBand Tower) Copyright(c) 2002, Koh-ichi Ito 2
DNS RFC2317 /24 (BIND9.x ) Copyright(c) 2002, Koh-ichi Ito 3
DNS Internet Registry(JPRS ) DNSSEC TSIG Dynamic Update,split DNS,etc... Copyright(c) 2002, Koh-ichi Ito 4
DNS
DNS (1) http://www.jus.or.jp/ http://210.145.136.86/ 3ffe:504:fedc:ba98:0123:4567:89ab:cdef Copyright(c) 2002, Koh-ichi Ito 6
DNS (2) <->IP 1 DNS Copyright(c) 2002, Koh-ichi Ito 7
DNS (3)... Copyright(c) 2002, Koh-ichi Ito 8
(1) Authority jp. 1.(root) JPNIC Authority or.jp. 1 jus.or.jp. 1 or.jp. Authority Copyright(c) 2002, Koh-ichi Ito 9
(2) (RR) ->IP (A,AAAA) IP -> (PTR) (MX) (SOA) Authority (NS) Copyright(c) 2002, Koh-ichi Ito 10
(3) hoge.jus.or.jp JPNIC jus.or.jp. Copyright(c) 2002, Koh-ichi Ito 11
(1) <->IP -> <-? IP(v4). v6 Copyright(c) 2002, Koh-ichi Ito 12
(2) [ ] ( )-> ( )[ ] www.jus.or.jp. IP [ ] -> [ ] 210.145.136.86 86.136.145.210.in-addr.arpa. Copyright(c) 2002, Koh-ichi Ito 13
/24
/24 (1) 192.168.0.0/27: A 192.168.0.32/28: B 192.168.0.48/28: C 192.168.0.64/26: D 192.168.0.128/25: E Copyright(c) 2002, Koh-ichi Ito 15
/24 (2) ( ) 0.168.192.in-addr.arpa.? Copyright(c) 2002, Koh-ichi Ito 16
/24 (3) RFC2317 Classless IN-ADDR.ARPA delegation (Best Current Practice) 0/27.0.168.192.in-addr.arpa. 32/28.0.168.192.in-addr.arpa. : 128/25.0.168.192.in-addr.arpa. Copyright(c) 2002, Koh-ichi Ito 17
/24 (4) 0.168.192.in-addr.arpa. 1.0.168.192.in-addr.arpa. ->1.0/27.0.168.192.in-addr.arpa. 2.0.168.192.in-addr.arpa. ->2.0/27.0.168.192.in-addr.arpa. : 33.0.168.192.in-addr.arpa. ->33.32/28.0.168.192.in-addr.arpa. : CNAME Copyright(c) 2002, Koh-ichi Ito 18
/24 in-addr.arpa. 0 168 192 1 2......253 254 Copyright(c) 2002, Koh-ichi Ito 19
/24 in-addr.arpa. 0 168 192 0/27 1 2...29 30 32/28 33 34... 1 2......29 30 33 34... Copyright(c) 2002, Koh-ichi Ito 20
/24 (5) 0.168.192.in-addr.arpa.? ISP PTR GUI ISP PTR Copyright(c) 2002, Koh-ichi Ito 21
/24 (6) ISP 33.32/28.0.168.192.in-addr.arpa. 33.32.0.168.192.in-addr.arpa. 33.b-company.0.168.192.in-addr.arpa. : ISP Copyright(c) 2002, Koh-ichi Ito 22
/ don.gr.jp IPv4 172.16.7.152/29 IPv6 3ffe:504:fedc:ba98::/64 BIND9.x Copyright(c) 2002, Koh-ichi Ito 24
BIND ftp://ftp.isc.org/isc/bind9/ get 9.2.1 conifgure FreeBSD/NetBSD make AIX 4.3, Tru64 4.0D, Tru64 5, HP-UX 11, IRIX64 6.5, Solaris 2.6, 7, 8, Red Hat Linux 6.0, 6.1, 6.2, 7.0 Supported Operating Systems Copyright(c) 2002, Koh-ichi Ito 25
BIND (1) named.conf master/slave (master)/dump (slave) / rndc named Copyright(c) 2002, Koh-ichi Ito 26
BIND (2) master rndc.conf rndc named Copyright(c) 2002, Koh-ichi Ito 27
BIND (3) named.root root ftp get ftp://rs.internic.net/domain/named.root ftp://ftp.nic.ad.jp/internic/rs/domain/named.root root.cache Copyright(c) 2002, Koh-ichi Ito 28
BIND (4) resolv.conf named recursive query DNS Windows Mac Copyright(c) 2002, Koh-ichi Ito 29
named.conf(1) # # This is a comment. # ; is NOT a comment leader. # options { directory "/usr/local/etc/namedb"; listen-on-v6 { any; }; }; named v6 Copyright(c) 2002, Koh-ichi Ito 30
named.conf(2) logging { channel to_syslog { syslog daemon; severity info; print-category yes; print-severity yes; }; category default { to_syslog; }; }; Copyright(c) 2002, Koh-ichi Ito 31
named.conf(3) /* * permission of rndc-key should be 400. */ include rndc-key ; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key ; }; Copyright(c) 2002, Koh-ichi Ito 32
named.conf(4) }; inet * v6 inet ::1 port 953 allow { ::1; } keys { rndc-key ; }; Copyright(c) 2002, Koh-ichi Ito 33
named.conf(5) acl myslave { 10.12.34.56; ns.myisp.ad.jp }; zone "." IN { type hint; file "named.root"; }; Copyright(c) 2002, Koh-ichi Ito 34
named.conf(6) zone "localhost" IN { type master; file "localhost"; }; zone "127.in-addr.arpa" IN { type master; file "127.in-addr.arpa"; }; Copyright(c) 2002, Koh-ichi Ito 35
named.conf(7) zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" IN { type master; file "1000.0000.0000.0000.0000.0000. 0000.0000.ip6.int"; }; 1 Copyright(c) 2002, Koh-ichi Ito 36
named.conf(7) zone "don.gr.jp" IN { type master; file "don.gr.jp"; allow-transfer { myslave; localhost; }; }; Copyright(c) 2002, Koh-ichi Ito 37
named.conf(8) zone "152/29.7.16.172.in-addr.arpa" IN { type master; file "152_29.7.16.172.in-addr.arpa"; allow-transfer { myslave; localhost; }; }; Copyright(c) 2002, Koh-ichi Ito 38
named.conf(9) zone "8.9.a.b.c.d.e.f.4.0.5.0.e.f.f.3. ip6.int" IN { }; type master; 1 file "89ab.cdef.4050.eff3.ip6.int"; allow-transfer { }; myslave; localhost; Copyright(c) 2002, Koh-ichi Ito 39
localhost ; ; This is a comment. ; # is NOT a comment leader. ; $TTL 1d @ IN SOA oyako.don.gr.jp. hostmaster.don.gr.jp. ( 2002071001 1h 20m w,d,h,m 1000h 15m ) negative cache TTL IN NS oyako.don.gr.jp. IN A 127.0.0.1 IN AAAA ::1 Copyright(c) 2002, Koh-ichi Ito 40
127.in-addr.arpa $TTL 1d 1 @ IN SOA oyako.don.gr.jp. hostmaster.don.gr.jp. ( 2002071001 1h 20m 1000h 15m ) IN NS oyako.don.gr.jp. 1.0.0 IN PTR localhost. Copyright(c) 2002, Koh-ichi Ito 41
1000.0000.0000.0000.0000.00 00.0000.0000.ip6.int $TTL 1d @ IN SOA oyako.don.gr.jp. hostmaster.don.gr.jp. ( 2002071001 1h 1 20m 1000h 15m ) IN NS oyako.don.gr.jp. IN PTR localhost. Copyright(c) 2002, Koh-ichi Ito 42
don.gr.jp(1) $TTL 1d @ IN SOA hostmaster.don.gr.jp. ( oyako.don.gr.jp. 2002071001 1h 20m 1000h 15m ) IN NS oyako.don.gr.jp. IN NS ns.myisp.ad.jp. IN MX 10 negitoro.don.gr.jp. localhost IN CNAME localhost. 1 Copyright(c) 2002, Koh-ichi Ito 43
don.gr.jp(2) oyako IN A 172.16.7.153 IN AAAA 3ffe:504:fedc:ba98::53 negitoro IN A 172.16.7.154 IN AAAA 3ffe:504:fedc:ba98::25 cot IN A 172.16.7.155 una IN A 172.16.7.156 ten IN A 172.16.7.157 gyu IN A 172.16.7.158 Copyright(c) 2002, Koh-ichi Ito 44
152_29.7.16.172.in-addr.arpa $TTL 1d @ IN SOA oyako.don.gr.jp. hostmaster.don.gr.jp. ( 2002071001 1h 20m 1000h 15m ) IN NS oyako.don.gr.jp. IN NS ns.myisp.ad.jp. 153 IN PTR oyako.don.gr.jp. 154 IN PTR negitoro.don.gr.jp. 155 IN PTR cot.don.gr.jp. 156 IN PTR una.don.gr.jp. 157 IN PTR ten.don.gr.jp. 158 IN PTR gyu.don.gr.jp. Copyright(c) 2002, Koh-ichi Ito 45
89ab.cdef.4050.eff3.ip6.int $TTL 1d @ IN SOA oyako.don.gr.jp. hostmaster.don.gr.jp. ( 2002071001 1h 20m 1000h 15m ) IN NS oyako.don.gr.jp. IN NS ns.myisp.ad.jp. 25 IN PTR negitoro.don.gr.jp. 53 IN PTR oyako.don.gr.jp. Copyright(c) 2002, Koh-ichi Ito 46
named-checkconf named.conf lint apachectl configtest oyako# named-checkconf./named.conf./named.conf:49: missing ';' before 'file' Copyright(c) 2002, Koh-ichi Ito 47
named-checkzone zone A RR _ Expire Refresh oyako# named-checkzone don.gr.jp. don.gr.jp dns_rdata_fromtext: don.gr.jp:21: near 'localhost.': bad dotted quad zone don.gr.jp/in: loading master file don.gr.jp: bad dotted quad Copyright(c) 2002, Koh-ichi Ito 48
rndc.conf rndc-key(1) $PREFIX/sbin/rndc-confgen FreeBSD NetBSD -r /dev/urandom -r keyboard /dev/random BIND Copyright(c) 2002, Koh-ichi Ito 49
rndc-confgen(1) oyako# /usr/local/sbin/rndc-confgen -r keyboard start typing: <-stderr........................ stop typing. <-stderr Copyright(c) 2002, Koh-ichi Ito 50
rndc-confgen(2) # Start of rndc.conf key "rndc-key" { algorithm hmac-md5; secret "prgbj08mdux/2apyracr0a=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf rndc.conf Copyright(c) 2002, Koh-ichi Ito 51
rndc-confgen(3) # Use with the following in named.conf, adjusting the allow list as needed: # key "rndc-key" { # algorithm hmac-md5; # secret "prgbj08mdux/2apyracr0a=="; # }; # # controls { rndc-key # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; # End of named.conf Copyright(c) 2002, Koh-ichi Ito 52
rndc.conf rndc-key(2) rndc.conf root rndc permission wheel su rndc rndc-key key Copyright(c) 2002, Koh-ichi Ito 53
TTL(1) $TTL RFC2308 BIND8.x RR TTL named BIND9.0.x,9.1.x Copyright(c) 2002, Koh-ichi Ito 54
TTL(2) SOA MINIMUM (...) BIND4.x RR TTL BIND8.x $TTL RFC2308 negative cache TTL Copyright(c) 2002, Koh-ichi Ito 55
TTL(3) negative cache RR RR Copyright(c) 2002, Koh-ichi Ito 56
TTL(4) MINIMUM negative cache named.conf kaisen.don.gr.jp.( ) negative cache Copyright(c) 2002, Koh-ichi Ito 57
SOA $TTL w(week),d(day),h(hour),m(min) Administrator Reference Manual Setting TTLs All of these TTLs default to units of seconds, though units can be explicitly specified, for example, 1h30m. Copyright(c) 2002, Koh-ichi Ito 58
logging(1) category named database,security,config,default category channel channel file,syslog,stderr,null facility Copyright(c) 2002, Koh-ichi Ito 59
logging(2) database channel1 channel2 channel3 security config default file1 file2 syslog (daemon) Copyright(c) 2002, Koh-ichi Ito 60
logging(3) named.conf logging{...} syslog(daemon) logging{...} Copyright(c) 2002, Koh-ichi Ito 61
IPv6 support BIND8.x v6 RR(AAAA,v6 PTR) / v4 BIND9.x v6 / listen-on-v6{any} A6 bit stream PTR Copyright(c) 2002, Koh-ichi Ito 62
BIND8.x 9.x (1) BIND9.0.0-rc5 BIND8.x named.conf not implemented statistics-interval logging{...} unknown $TTL load Copyright(c) 2002, Koh-ichi Ito 63
BIND8.x 9.x (2) controls{...} :-) rndc kill controls{...} (^^; ( ) 4.x->8.x rndc Copyright(c) 2002, Koh-ichi Ito 64
BIND8.x 9.x (3) rndc reload stop BIND8.x ndc restart (9.2.1 ) Copyright(c) 2002, Koh-ichi Ito 65
(1) master WorldWide slave WorldWide recursive query Copyright(c) 2002, Koh-ichi Ito 66
? root jp. Copyright(c) 2002, Koh-ichi Ito 67
(2) zone hash zone 152/29.7.16.172.in-addr.arpa { }; file slave/v4inv/172/16/7/152_29... ; Copyright(c) 2002, Koh-ichi Ito 68
(3) /var / ( master) ->risky ( slave) Copyright(c) 2002, Koh-ichi Ito 69
/ (1) perl summerize S/N? vmstat( ) netstat m(mbuf) named statistics? Copyright(c) 2002, Koh-ichi Ito 70
/ (2) master Authority? MRTG dnswalk / http://www.visi.com/~barr/dnswalk/ Copyright(c) 2002, Koh-ichi Ito 71
/ (3) recursion off; slave / xfer-in master S/N summerize Copyright(c) 2002, Koh-ichi Ito 72
/ (4) resolver recursive query / any idea? allow-recursion{...} / Copyright(c) 2002, Koh-ichi Ito 73
tips reload named &; tail f var/log/messages RR RHS notify slave Copyright(c) 2002, Koh-ichi Ito 75
$GENERATE @ IN SOA (...) : $GENERATE 70-125 dhcp$ A 192.168.0.$ dhcp70 IN A 192.168.0.70 dhcp71 IN A 192.168.0.71 : Copyright(c) 2002, Koh-ichi Ito 76
-t(chroot) BIND8.x chroot() openlog() BIND9.x named /var/run/log bug? FreeBSD syslogd l(additional log socket) openlog() chroot() syslog Copyright(c) 2002, Koh-ichi Ito 77
Thank you! Next session! Copyright(c) 2002, Koh-ichi Ito 78