| 
|  | bind_manual_setup(7)Contents |  
        bind_manual_setup  -  Describes how to manually set up the
       Berkeley Internet Name Domain (BIND) service on your  network.
       Setting  up a BIND domain includes configuring the following:
 Master server Slave servers Stub servers Caching-only
       servers Forward-only servers Clients
                                  Note
       Documentation  for BIND prior to Version 8.1.1 referred to
       the master server as a primary server and the slave server
       as a secondary server. Though the terminology has changed,
       master and slave servers are still referred to  as  having
       primary  and secondary authority, respectively, for zones.
SETTING UP THE MASTER SERVER    [Toc]    [Back]       There can be only one master server in a BIND domain.  Use
       the  following  procedure  to set up a BIND master server:
       Create the /etc/resolv.conf file.
              The /etc/resolv.conf file contains the domain  name
              and  the  Internet  Protocol  (IP)  address for the
              local host.  Format the  /etc/resolv.conf  file  as
              follows,   substituting   your   domain   name  for
              cities.dec.com:
              # @(#)resolv.conf # # Description:  The resolv.conf
              file     lists     name-value    pairs    that    #
              provide information to the BIND resolver.  # # Syntax:
             domain        <domainname>       #
              and #               nameserver  <address> # #  Caution:
  White space entered after the domain name is
              not #           ignored; it is interpreted as  part
              of  the  domain  name.   #  #  domain  <domainname>
              local   domain   name   #   nameserver    <address>
              Internet    address    of    a    name   server   #
              that   the   resolver   should   query   #   domain
              cities.dec.com nameserver      127.0.0.1 Create the
              database files by using  the  following  procedure:
              Copy  into  or create in the /etc/namedb/src directory
 a file called hosts.  The  hosts  file  should
              have the following format:
              127.0.0.1           localhost          120.105.1.20
              host1.cities.dec.com   h1           #BIND    server
              120.105.1.142   host2   h2   120.105.1.1  host3  h3
              #BIND server 120.105.1.13 host4 120.105.2.23  host5
              h5
              The  first  field  is  the  IP address.  The second
              field is the host name.  The  third  field  is  for
              aliases  for  the host name (optional).  The fourth
              field is comments, delineated by  the  number  sign
              (#)  (optional).   Run  the make hosts command from
              within the /etc/namedb directory  by  entering  the
              following commands:
              # cd /etc/namedb # make hosts
              The     make     hosts    command    creates    the
              /etc/namedb/hosts.db   and    /etc/namedb/hosts.rev
              files.
                                     Note
              Any  host  names  with a domain name different from
              that for which you are creating  the  database  are
              ignored.   For  example,  if  you  create the hosts
              database for the domain cities.dec.com and you have
              a  host  name  fizzle.nac.dec.com in the file, fizzle.nac.dec.com
 is ignored. Also,  the  first  host
              name  that  the  make hosts command encounters that
              has either no domain name  or  the  default  domain
              name  becomes the primary name of the machine.  All
              other names are considered aliases, or CNAMES.  For
              example,  for  the  following entry, the make hosts
              command considers host2 the  primary  name  of  the
              system and h2 an alias:
              120.105.1.20 host2 h2
              Create the /etc/namedb/named.ca file.
              The /etc/namedb/named.ca file must read as follows:
              ; ;       This file holds the information  on  root
              name  servers needed to ;       initialize cache of
              Internet domain name servers ;        (e.g.  reference
   this  file  in  the  "cache   .   <file>"  ;
              configuration file of BIND domain name servers).  ;
              ;        This  file  is  made available by InterNIC
              registration ;       services under  anonymous  FTP
              as                 ;                           file
              /domain/named.root    ;               on     server
              FTP.RS.INTERNIC.NET  ;        -OR-  under Gopher at
              RS.INTERNIC.NET     ;               under      menu
              InterNIC     Registration    Services    (NSI)    ;
              submenu         InterNIC  Registration  Archives  ;
              file                 named.root   ;   ;        last
              update:    Aug 22, 1997 ;       related version  of
              root  zone:    1997082200  ; ; ; formerly NS.INTERNIC.NET
 ; A.ROOT-SERVERS.NET.       3600000       A
              198.41.0.4  ;  ;  formerly  NS1.ISI.EDU  ;  B.ROOTSERVERS.NET.
      3600000      A     128.9.0.107  ;
              ;    formerly   C.PSI.NET   ;   C.ROOT-SERVERS.NET.
              3600000       A      192.33.4.12   ;   ;   formerly
              TERP.UMD.EDU   ;  D.ROOT-SERVERS.NET.       3600000
              A      128.8.10.90  ;  ;  formerly  NS.NASA.GOV   ;
              E.ROOT-SERVERS.NET.            3600000            A
              192.203.230.10 ; ; formerly  NS.ISC.ORG  ;  F.ROOTSERVERS.NET.
       3600000      A     192.5.5.241 ;
              ;  formerly  NS.NIC.DDN.MIL  ;  G.ROOT-SERVERS.NET.
              3600000        A       192.112.36.4  ;  ;  formerly
              AOS.ARL.ARMY.MIL ; H.ROOT-SERVERS.NET.      3600000
              A      128.63.2.53  ;  ;  formerly  NIC.NORDU.NET ;
              I.ROOT-SERVERS.NET.            3600000            A
              192.36.148.17 ; ; temporarily housed at NSI (InterNIC)
  ;  J.ROOT-SERVERS.NET.       3600000        A
              198.41.0.10  ;  ;  housed in LINX, operated by RIPE
              NCC  ;  K.ROOT-SERVERS.NET.        3600000        A
              193.0.14.129 ; ; temporarily housed at ISI (IANA) ;
              L.ROOT-SERVERS.NET.            3600000            A
              198.32.64.12  ; ; housed in Japan, operated by WIDE
              ;    M.ROOT-SERVERS.NET.         3600000          A
              202.12.27.33    ;    End   of   File   Create   the
              /etc/namedb/named.local file.
              The /etc/namedb/named.local file must  contain  the
              following  information and be formatted as shown in
              the       following        example.         Replace
              host1.cities.dec.com  with  your  host  and  domain
              name.
              ; ; BIND data file for local loopback interface.  ;
              @    IN    SOA    host1.cities.dec.com.    postmaster.host1.cities.dec.com.
 (
                                      1       ; Serial
                                      3600    ; Refresh
                                      300     ; Retry
                                      3600000 ; Expire
                                      3600 )  ; Minimum
                  IN      NS      host1.cities.dec.com.   1    IN
              PTR        localhost.     localhost.    IN        A
              127.0.0.1 Create the configuration (boot) file.
              The following is a sample  named.conf  file  for  a
              master  server.   Replace  cities.dec.com with your
              domain name and 120.105 with your network number:
              // named.conf
              options {
                      directory "/etc/named";
                      /*
                       * If there is a firewall between  you  and
              nameservers
                       *  you  want to talk to, you might need to
              uncomment the
                       * query-source directive below.   Previous
              versions of BIND
                       *  always  asked  questions using port 53,
              but BIND 8.1 uses
                       * an unprivileged port by default.
                       */
                      // query-source address * port 53; };
              // zone "cities.dec.com" {
                      type master;
                      file "hosts.db"; };
              zone "120.105.in-addr.arpa" {
                      type master;
                      file "hosts.rev"; };
              // // zone "0.0.127.in-addr.arpa" {
                      type master;
                      file "named.local"; };
              // // load the cache data last zone "named.ca" {
                      type hint;
                      file ; };
              The database files are stored  in  the  /etc/namedb
              directory  by default. You can store database files
              in any directory; however, if you place them  in  a
              directory  other  than  the  default directory, you
              should change the /etc/namedb in the  configuration
              (boot)  file  to the name of the directory you have
              chosen.  If necessary for IPv6 or Microsoft Windows
              network  environments,  enable  dynamic  updates by
              adding the allow-update substatement to the  master
              zone  statements  (forward  and reverse lookup), as
              follows:
              zone "cities.dec.com" {
                      type master;
                      file "hosts.db";
                      allow-update { any; }; };
              zone "120.105.in-addr.arpa" {
                      type master;
                      file "hosts.rev";
                      allow-update { any;  };  };  If  necessary,
              configure  authentication  of  dynamic  updates and
              zone transfers.  See CONFIGURING AUTHENTICATION for
              more information.
              Note  that  authentication is not supported on IPv6
              name servers.  Edit the /etc/rc.config.common  file
              by  using  the  /usr/sbin/rcmgr utility. The syntax
              for the  /usr/sbin/rcmgr  command  is  as  follows:
              /usr/sbin/rcmgr set variable value
              Enter   the   following   commands   to   edit  the
              /etc/rc.config.common file  and  add  the  required
              information:
              #    /usr/sbin/rcmgr    set    BIND_CONF    YES   #
              /usr/sbin/rcmgr  set   BIND_SERVERTYPE   MASTER   #
              /usr/sbin/rcmgr     set     BIND_SERVERARGS     "-b
              /etc/namedb/named.conf" Edit  the  /etc/hosts  file
              with the fully qualified BIND name of the host.
              To  run  BIND, your system's host name must include
              the BIND domain name.   The  fully  qualified  BIND
              host  name consists of the local host name plus the
              BIND domain name, separated by dots.  For  example,
              the  fully  qualified  BIND  host name for a system
              whose local host  name  is  host1  and  whose  BIND
              domain      name      is      cities.dec.com     is
              host1.cities.dec.com.
              See the hosts(4) reference page for  more  information.
   Edit  the  /etc/rc.config file by using the
              /usr/sbin/rcmgr  utility.   The  syntax   for   the
              /usr/sbin/rcmgr     command    is    as    follows:
              /usr/sbin/rcmgr set  variable value
              Enter   the   following   command   to   edit   the
              /etc/rc.config  file  and add the required information:
              # /usr/sbin/rcmgr set HOSTNAME host1.cities.dec.com
              Replace  host1.cities.dec.com  with  your  system's
              fully qualified BIND name.  Set the new  host  name
              with the /sbin/hostname command.
              For    example,   to   set   the   host   name   to
              host1.cities.dec.com for a system that  was  previously
  known  locally as host1, enter the following
              command:
              #  /sbin/hostname  host1.cities.dec.com  Start  the
              named daemon by issuing the following command:
              # /sbin/init.d/named start
SETTING UP A SLAVE SERVER    [Toc]    [Back]       Use the following procedure to set up a BIND slave server:
       Create the /etc/resolv.conf file.  See step 1 in the  Setting
   Up   the   Master   Server   section.   Create  the
       /etc/namedb/named.ca file.  See step 3 in the  Setting  Up
       the     Master     Server     section.      Create     the
       /etc/namedb/named.local file.  See step 4 in  the  Setting
       Up  the  Master  Server section.  Create the configuration
       (boot) file.
              A configuration file for a slave server should have
              the format shown in the following example.  Replace
              cities.dec.com with your domain name, 120.105  with
              your  network  number,  and 120.105.4.5 with the IP
              address of your domain's BIND master server:
              // named.conf
              options {
                      directory "/etc/named";
                      /*
                       * If there is a firewall between  you  and
              nameservers
                       *  you  want to talk to, you might need to
              uncomment the
                       * query-source directive below.   Previous
              versions of BIND
                       *  always  asked  questions using port 53,
              but BIND 8.1 uses
                       * an unprivileged port by default.
                       */
                      // query-source address * port 53; };
              // zone "cities.dec.com" {
                      type slave;
                      file "hosts.db";
                      masters {
                              120.105.4.5;
                      }; };
              zone "120.105.in-addr.arpa" {
                      type slave;
                      file "hosts.rev";
                      masters {
                              120.105.4.5;
                      }; };
              // // zone "0.0.127.in-addr.arpa" {
                      type master;
                      file "named.local"; };
              // // load the cache data last zone "named.ca" {
                      type hint;
                      file ; };
              The following entry indicates that this host serves
              itself its own local host information:
              primary         0.0.127.in-addr.arpa    named.local
              The default directory in which the  database  files
              are  stored  is /etc/namedb.  You can store them in
              any directory; however, if  you  place  them  in  a
              directory  other  than  the  default  directory you
              should change the /etc/namedb at  the  top  of  the
              configuration (boot) file to the name of the directory
 you  have  chosen.   If  necessary,  configure
              authentication  of zone transfers.  See CONFIGURING
              AUTHENTICATION  for  more  information.   Edit  the
              /etc/rc.config.common    file    by    using    the
              /usr/sbin/rcmgr  utility.   The  syntax   for   the
              /usr/sbin/rcmgr     command    is    as    follows:
              /usr/sbin/rcmgr set variable value
              Enter  the   following   commands   to   edit   the
              /etc/rc.config.common  file  and  add  the required
              information:
              #   /usr/sbin/rcmgr    set    BIND_CONF    YES    #
              /usr/sbin/rcmgr   set   BIND_SERVERTYPE   SLAVE   #
              /usr/sbin/rcmgr     set     BIND_SERVERARGS     "-b
              /etc/namedb/named.conf" Edit the /etc/hosts file to
              add the fully qualified BIND name of the host.
              In order to run BIND, your system's host name  must
              include  the BIND domain name.  The fully qualified
              BIND host name consists of the local host name plus
              the BIND domain name, separated by dots.  For example,
 the fully qualified BIND host name for a  system
  whose  local host name is host2 and whose BIND
              domain     name      is      cities.dec.com      is
              host2.cities.dec.com.
              See  the  hosts(4) reference page for more information.
  Edit the /etc/rc.config file  by  using  the
              /usr/sbin/rcmgr   utility.    The  syntax  for  the
              /usr/sbin/rcmgr    command    is    as     follows:
              /usr/sbin/rcmgr set variable value
              Enter   the   following   command   to   edit   the
              /etc/rc.config file and add the  required  information:
              # /usr/sbin/rcmgr set HOSTNAME host2.cities.dec.com
              Replace  host2.cities.dec.com  with  your  system's
              fully  qualified  BIND name.  Set the new host name
              with the /sbin/hostname command.
              For   example,   to   set   the   host   name    to
              host2.cities.dec.com  for  a system that was previously
 known locally as host2, enter  the  following
              command:
              #  /sbin/hostname  host2.cities.dec.com  Start  the
              named daemon by issuing the following command:
              # /sbin/init.d/named start
SETTING UP A STUB SERVER    [Toc]    [Back]       Use the following procedure to set up a BIND stub  server:
       Create  the /etc/resolv.conf file.  See step 1 in the Setting
  Up  the   Master   Server   section.    Create   the
       /etc/namedb/named.ca  file.   See step 3 in the Setting Up
       the     Master     Server     section.      Create     the
       /etc/namedb/named.local  file.   See step 4 in the Setting
       Up the Master Server section.   Create  the  configuration
       (boot) file.
              A  configuration file for a stub server should have
              the format shown in the following example.  Replace
              cities.dec.com  with your domain name, 120.105 with
              your network number, and 120.105.4.5  with  the  IP
              address of your domain's BIND master server:
              // named.conf
              options {
                      directory "/etc/named";
                      /*
                       *  If  there is a firewall between you and
              nameservers
                       * you want to talk to, you might  need  to
              uncomment the
                       *  query-source directive below.  Previous
              versions of BIND
                       * always asked questions  using  port  53,
              but BIND 8.1 uses
                       * an unprivileged port by default.
                       */
                      // query-source address * port 53; };
              // zone "cities.dec.com" {
                      type stub;
                      file "hosts.db";
                      masters {
                              120.105.4.5;
                      }; };
              zone "120.105.in-addr.arpa" {
                      type stub;
                      file "hosts.rev";
                      masters {
                              120.105.4.5;
                      }; };
              // // zone "0.0.127.in-addr.arpa" {
                      type master;
                      file "named.local"; };
              // // load the cache data last zone "named.ca" {
                      type hint;
                      file ; };
              The following entry indicates that this host serves
              itself its own local host information:
              primary         0.0.127.in-addr.arpa    named.local
              The  default  directory in which the database files
              are stored is /etc/namedb.  You can store  them  in
              any  directory;  however,  if  you  place them in a
              directory other  than  the  default  directory  you
              should  change  the  /etc/namedb  at the top of the
              configuration (boot) file to the name of the directory
 you have chosen.  Edit the /etc/rc.config.common
 file by using the /usr/sbin/rcmgr utility.  The
              syntax  for  the /usr/sbin/rcmgr command is as follows:
 /usr/sbin/rcmgr set variable value
              Enter  the   following   commands   to   edit   the
              /etc/rc.config.common  file  and  add  the required
              information: # /usr/sbin/rcmgr set BIND_CONF YES  #
              /usr/sbin/rcmgr    set   BIND_SERVERTYPE   STUB   #
              /usr/sbin/rcmgr     set     BIND_SERVERARGS     "-b
              /etc/namedb/named.conf" Edit the /etc/hosts file to
              add the fully qualified BIND name of the host.
              In order to run BIND, your system's host name  must
              include  the BIND domain name.  The fully qualified
              BIND host name consists of the local host name plus
              the BIND domain name, separated by dots.  For example,
 the fully qualified BIND host name for a  system
  whose  local host name is host2 and whose BIND
              domain     name      is      cities.dec.com      is
              host2.cities.dec.com.
              See  the  hosts(4) reference page for more information.
  Edit the /etc/rc.config file  by  using  the
              /usr/sbin/rcmgr   utility.    The  syntax  for  the
              /usr/sbin/rcmgr    command    is    as     follows:
              /usr/sbin/rcmgr set variable value
              Enter   the   following   command   to   edit   the
              /etc/rc.config file and add the  required  information:
     #     /usr/sbin/rcmgr     set    HOSTNAME
              host2.cities.dec.com
              Replace  host2.cities.dec.com  with  your  system's
              fully  qualified  BIND name.  Set the new host name
              with the /sbin/hostname command.
              For   example,   to   set   the   host   name    to
              host2.cities.dec.com  for  a system that was previously
 known locally as host2, enter  the  following
              command:   #   /sbin/hostname  host2.cities.dec.com
              Start the named daemon  by  issuing  the  following
              command: # /sbin/init.d/named start
SETTING UP A CACHING-ONLY SERVER    [Toc]    [Back]       Use  the following procedure to set up a BIND caching-only
       server: Create the /etc/resolv.conf file.  See step  1  in
       the  Setting  Up  the  Master  Server section.  Create the
       /etc/namedb/named.ca file.  See step 3 in the  Setting  Up
       the     Master     Server     section.      Create     the
       /etc/namedb/named.local file.  See step 4 in  the  Setting
       Up  the  Master  Server section.  Create the configuration
       (boot) file.
              The following is a sample  named.conf  file  for  a
              caching-only  server.   Replace information that is
              appropriate  for  a  caching-only  server  in  your
              domain:
              // named.conf
              options {
                      directory "/etc/named";
                      /*
                       *  If  there is a firewall between you and
              nameservers
                       * you want to talk to, you might  need  to
              uncomment the
                       *  query-source directive below.  Previous
              versions of BIND
                       * always asked questions  using  port  53,
              but BIND 8.1 uses
                       * an unprivileged port by default.
                       */
                      // query-source address * port 53; };
              // zone "0.0.127.in-addr.arpa" {
                      type master;
                      file "named.local"; };
              // // load the cache data last zone "named.ca" {
                      type hint;
                      file ; };
              The  default  directory in which the database files
              are stored is /etc/namedb.  You can store  them  in
              any  directory;  however,  if  you  place them in a
              directory other  than  the  default  directory  you
              should  change  the /etc/namedb entry at the top of
              the configuration (boot) file to the  name  of  the
              directory  you  have chosen.  Edit the /etc/rc.config.common
 file by using the /usr/sbin/rcmgr  utility.
  The syntax for the /usr/sbin/rcmgr command is
              as follows: /usr/sbin/rcmgr set variable value
              Enter  the   following   commands   to   edit   the
              /etc/rc.config.common  file  and  add  the required
              information:
              #   /usr/sbin/rcmgr    set    BIND_CONF    YES    #
              /usr/sbin/rcmgr   set   BIND_SERVERTYPE  CACHING  #
              /usr/sbin/rcmgr     set     BIND_SERVERARGS     "-b
              /etc/namedb/named.conf"  Edit  the  /etc/hosts file
              with the fully qualified BIND name of the host.
              In order to run BIND, your system's host name  must
              include  the BIND domain name.  The fully qualified
              BIND host name consists of the local host name plus
              the BIND domain name, separated by dots.  For example,
 the fully qualified BIND host name for a  system
  whose  local host name is host3 and whose BIND
              domain     name      is      cities.dec.com      is
              host3.cities.dec.com.
              See  the  hosts(4) reference page for more information.
  Edit the /etc/rc.config file  by  using  the
              /usr/sbin/rcmgr   utility.    The  syntax  for  the
              /usr/sbin/rcmgr    command    is    as     follows:
              /usr/sbin/rcmgr set variable value
              Enter   the   following   command   to   edit   the
              /etc/rc.config file and add the  required  information:
              # /usr/sbin/rcmgr set HOSTNAME host3.cities.dec.com
              Replace  host3.cities.dec.com  with  your  system's
              fully  qualified  BIND name.  Set the new host name
              with the /sbin/hostname command.
              For   example,   to   set   the   host   name    to
              host3.cities.dec.com  for  a system that was previously
 known locally as host3, enter  the  following
              command:
              #  /sbin/hostname  host3.cities.dec.com  Start  the
              named daemon by issuing the following command:
              # /sbin/init.d/named start
SETTING UP A FORWARD-ONLY SERVER    [Toc]    [Back]       Use the following procedure to set up a BIND  forward-only
       server:  Create  the /etc/resolv.conf file.  See step 1 in
       the Setting Up the  Master  Server  section.   Create  the
       /etc/namedb/named.local  file.   See step 4 in the Setting
       Up the Master Server section.   Create  the  configuration
       (boot)  file.   The  following is a sample named.conf file
       for a forward-only server.  Replace 120.105.4.5  with  the
       IP address of the BIND master server in your domain:
              // named.conf
              options {
                      directory "/etc/named";
                      forward only;
                      forwarders {
                              120.105.4.5;
                      };
                      /*
                       *  If  there is a firewall between you and
              nameservers
                       * you want to talk to, you might  need  to
              uncomment the
                       *  query-source directive below.  Previous
              versions of BIND
                       * always asked questions  using  port  53,
              but BIND 8.1 uses
                       * an unprivileged port by default.
                       */
                      // query-source address * port 53; };
              // // zone "0.0.127.in-addr.arpa" {
                      type master;
                      file "named.local"; };
              The  default  directory in which the database files
              are stored is /etc/namedb. You can  store  them  in
              any  directory;  however,  if  you  place them in a
              directory other  than  the  default  directory  you
              should  change  the /etc/namedb entry at the top of
              the configuration (boot) file to the  name  of  the
              directory  you  have chosen.  Edit the /etc/rc.config.common
 file by using the /usr/sbin/rcmgr  utility.
  The syntax for the /usr/sbin/rcmgr command is
              as follows: /usr/sbin/rcmgr set variable value
              Enter  the   following   commands   to   edit   the
              /etc/rc.config.common  file  and  add  the required
              information:
              #   /usr/sbin/rcmgr    set    BIND_CONF    YES    #
              /usr/sbin/rcmgr  set  BIND_SERVERTYPE  FORWARDER  #
              /usr/sbin/rcmgr     set     BIND_SERVERARGS     "-b
              /etc/namedb/named.conf"  Edit  the  /etc/hosts file
              and add the fully qualified BIND name of the  host.
              To  run  BIND, your system's host name must include
              the BIND domain name.   The  fully  qualified  BIND
              host  name consists of the local host name plus the
              BIND domain name, separated by dots.  For  example,
              the  fully  qualified  BIND  host name for a system
              whose local host  name  is  host4  and  whose  BIND
              domain      name      is      cities.dec.com     is
              host4.cities.dec.com.
              See the hosts(4) reference page for  more  information.
   Edit  the  /etc/rc.config file by using the
              /usr/sbin/rcmgr  utility.   The  syntax   for   the
              /usr/sbin/rcmgr     command    is    as    follows:
              /usr/sbin/rcmgr set variable value
              Enter   the   following   command   to   edit   the
              /etc/rc.config  file  and add the required information:
              # /usr/sbin/rcmgr set HOSTNAME host4.cities.dec.com
              Replace  host4.cities.dec.com  with  your  system's
              fully qualified BIND name.  Set the new  host  name
              with the /sbin/hostname command.
              For    example,   to   set   the   host   name   to
              host4.cities.dec.com for a system that  was  previously
  known  locally as host4, enter the following
              command:
              #  /sbin/hostname  host4.cities.dec.com  Start  the
              named daemon by issuing the following command:
              # /sbin/init.d/named start
       Use  the following procedure to set up a BIND client: Create
 the /etc/resolv.conf file.
              The /etc/resolv.conf file for a client contains the
              domain name and IP addresses of up to three servers
              for the domain. These name servers are the  systems
              that  the  local  host  can  query  to resolve host
              information. Format the  /etc/resolv.conf  file  as
              follows,    replacing    your   domain   name   for
              cities.dec.com and the IP addresses  of  your  name
              servers    for   120.105.4.5,   120.105.4.13,   and
              120.105.5.160:
              ;     ;     BIND     data     file     ;     domain
              cities.dec.com  nameserver        120.105.4.5 nameserver
              120.105.4.13         nameserver
              120.105.5.160  Edit  the /etc/rc.config.common file
              by using the /usr/sbin/rcmgr utility.   The  syntax
              for  the  /usr/sbin/rcmgr  command  is  as follows:
              /usr/sbin/rcmgr set variable value
              Enter  the   following   commands   to   edit   the
              /etc/rc.config.common  file  and  add  the required
              information:
              #   /usr/sbin/rcmgr    set    BIND_CONF    YES    #
              /usr/sbin/rcmgr set BIND_SERVERTYPE CLIENT Edit the
              /etc/rc.config file by  using  the  /usr/sbin/rcmgr
              utility.   The  syntax for the /usr/sbin/rcmgr command
 is as follows:  /usr/sbin/rcmgr  set  variable
              value
              Enter   the   following   command   to   edit   the
              /etc/rc.config file and add the  required  information:
              # /usr/sbin/rcmgr set HOSTNAME host4.cities.dec.com
              Replace  host4.cities.dec.com  with  your  system's
              fully  qualified  BIND name.  Set the new host name
              with the /sbin/hostname command.
              For   example,   to   set   the   host   name    to
              host4.cities.dec.com  for  a system that was previously
 known locally as host4, enter  the  following
              command:
              # /sbin/hostname host4.cities.dec.com
CONFIGURING AUTHENTICATION    [Toc]    [Back]       The following sections describe how to configure authentication
 on DNS servers for the following  purposes:  Secure
       dynamic updates -- Allow the master server to authenticate
       database updates it  receives  from  clients  Secure  zone
       transfers  -- Allow the master server to authenticate zone
       transfer requests it receives from slave servers, and subsequently,
  allow  the  slave  servers to authenticate the
       zone transfers they receive from the master server.
       Authentication is useful only when the private key remains
       a  secret between the servers; therefore, it is prudent to
       change this key frequently and save the key file as specified
  in  the  following  sections to prevent the key from
       being compromised.
   Configuring Secure Dynamic Updates    [Toc]    [Back]
       To configure  a  master  server  to  authenticate  dynamic
       updates  it  receives from new DNS clients (Microsoft Windows
 systems), do the following:
                                  Note
       If you plan to use the  nd6hostd  daemon  to  update  IPv6
       zones,  do not enable authentication for those zones.  The
       nd6hostd daemon does not support authentication.
       Generate a private key using  the  dnskeygen  command,  as
       follows:
              # dnskeygen -H size -h -c -n key-name
              Valid  key  sizes are 512, 576, 640, 704, 768, 832,
              896, 960, and 1024.  Larger keys are  more  cumbersome,
 but they are more secure.
              You  can  supply any name for a key, but it is best
              to give the keys canonical names so they  are  easy
              to  distinguish.  For  example,  if  hosts from the
              xyz.corp.com zone send dynamic updates to your master
  server, marlin.xyz.corp.com, you might want to
              name your key xyznet-marlin_update.
              The dnskeygen command produces  two  files:  K<keyname><proto-id><key-id>.key
              K<key-name><proto-id><key-id>.private
              Hereafter,  these  files are referred to as the and
              files.
              For more information  about  generating  keys,  see
              dnskeygen(1).   Create a file, possibly named.keys,
              to contain the key configuration statement for  the
              update.  This file should be read/writeable only by
              superuser to prevent the  private  key  from  being
              compromised.  For example:
              #  cd  /etc/namedb  # touch key-config-file # chmod
              600 key-config-file Incorporate the key information
              from  the  file  into the key-config-file by adding
              the following key statement:
              key key-name {
                  algorithm hmac-md5;
                  secret "generated-key"; };
              In the key statement,  replace  key-name  with  the
              name  of  the key and generated-key with the entire
              private key as it appears in the file.  It is  best
              to  enter  the  key  by opening the file in another
              window, copying the necessary key text, and pasting
              the  text into the text editor window. There should
              be no line feeds or spaces between the quotes  that
              contain  the  key; if even one character is entered
              incorrectly, authentication fails.  Add the following
   include   statement   to   the   top  of  the
              /etc/namedb/named.conf file:
              include "/etc/namedb/key-config-file";
              Replace key-config-file with the name  of  the  key
              configuration file you created in steps 2 and 3.
              When the named daemon starts and reads the DNS data
              file, it calls the key-config-file and  parses  its
              contents.   Enable  secure  dynamic updates for the
              master zone by adding the allow-update substatement
              to  the  master  zone  statements  (for forward and
              reverse lookups) in the named.conf file :
              zone "cities.dec.com" {
                      type master;
                      file "hosts.db";
                      allow-update {
                           key key-name;
                      }; };
              zone "120.105.in-addr.arpa" {
                      type master;
                      file "hosts.rev";
                      allow-update {
                           key key-name;
                      }; };
              Replace key-name with the name of the file you created
 in steps 2 and 3.
              Specifying  a  key  in  this statement ensures that
              updates are successful only if they are signed with
              the  private  key.  Continue setting up your master
              server.  Otherwise, if you are enabling authentication
  on a running server, restart the named daemon
              by issuing the following command:
              # /sbin/init.d/named restart
       Once you have configured  the  master  server  to  support
       secure  dynamic  DNS  updates  from  new  hosts,  you  can
       distribute the private key as necessary to  administrators
       who  need to add these hosts to the network. It is best to
       physically distribute the key on magnetic or optical media
       as  opposed to sending it over the network where it can be
       compromised.
       You can format a floppy for this  purpose.  See  mtools(1)
       for  information  about  formatting  and reading Microsoft
       Windows-compatible floppy disks on a Tru64 UNIX system. If
       the described tools are not available, you need to install
       the OSFDOSTOOLS subset.
       Note that when clients send updates to the master  server,
       the  named  daemon  does not immediately update the master
       database files.  It creates  temporary  database.ixfr  and
       database.log  files  where  it logs the changes until they
       can be incorporated into the database. However, the daemon
       does  become  aware  of  the updates almost immediately in
       memory. You can verify them with the nslookup command. See
       nslookup(8).
   Configuring Secure Zone Transfers    [Toc]    [Back]
       To  configure  a  master  server  and slave servers to use
       authentication for zone transfers, do the following:
       On the master server, perform steps 1-4  as  specified  in
       Configuring Secure Dynamic Updates.
              When  creating  a  key  name,  choose  a  name that
              describes the zone transfer.  For example,  if  the
              master   server,  marlin.xyz.corp.com,  is  sending
              updates to the slave  server,  minnow.xyz.corp.com,
              for  the  xyz.corp.com zone, you might name the key
              xyznet-marlin-minnow_transfer.    On   the   master
              server,  add the allow-transfer substatement to the
              master zone statements  (for  forward  and  reverse
              lookups)   in   the   /etc/namedb/named.conf  file.
              include "/etc/namedb/key-file";
                           .
                           .
                           .  zone "cities.dec.com" {
                      type master;
                      file "hosts.db";
                      allow-transfer {
                           key key-name; };
              zone "120.105.in-addr.arpa" {
                      type master;
                      file "hosts.rev";
                      allow-transfer {
                           key key-name; };
              Replace key-name with the name of the  key  as  you
              specified it in the key configuration file you created
 in steps 2 and 3 of Configuring Secure Dynamic
              Updates.
              Adding  this server statement ensures that the master
 servers transfers the zone only if the  request
              is  signed  with  the  private key. It also ensures
              that the master server signs the zone transfer with
              the  key  before  it  sends  the  data to the slave
              server.  Transfer the key configuration file  (keyconfig-file
  or  named.keys)  over  from the master
              server to the slave server. It is  best  to  physically
  transfer  this  file  on magnetic or optical
              media as opposed to sending  it  over  the  network
              where it can be compromised.
              You  can  format  a  floppy  for this purpose.  See
              mtools(1)  for  information  about  formatting  and
              reading  Microsoft  Windows-compatible floppy disks
              on a Tru64 UNIX system.  If the described tools are
              not  available, you need to install the OSFDOSTOOLS
              subset.
              On the slave server, ensure  that  the  permissions
              are  set  for  read/writable  only  by superuser: #
              chmod 600 key-config-file On the slave server,  add
              an include statement to the named.conf file to call
              the key-config-file. Also, insert the server statement
  after  the  include  statement and before any
              zone statements:  include  "/etc/namedb/key-configfile";
                      .
                      .
                      .  server 120.105.4.5 {
                      keys {key-name}; };
              Replace  key-config-file  with  the name of the key
              configuration file you copied over from the  master
              server.  Replace 120.105.4.5 with the IP address of
              your master server.  Finally, replace key-name with
              the name of the key you specifed in the key-configfile.
              Adding the server statement ensures that the  slave
              server  signs  requests for zone transfers from the
              master server with the private key. It also ensures
              that  the  slave  server  authenticates signed zone
              transfers from the master server before it incorporates
  them  into its data files.  Continue setting
              up your master or slave servers.  Otherwise, if you
              are  enabling  authentication  on  running servers,
              restart the named daemon on each server by  issuing
              the following command: # /sbin/init.d/named restart
POST-SETUP PROCEDURES    [Toc]    [Back]       After you configure BIND on your system, you must  restart
       the sendmail process and edit the /etc/svc.conf file.
   Restarting the sendmail Process    [Toc]    [Back]
       To  kill  and restart the sendmail process, enter the following
 command:
       # /sbin/init.d/sendmail restart
   Editing the svc.conf File    [Toc]    [Back]
       The /etc/svc.conf file is the database  service  selection
       configuration  file  that your system references to determine
 what distributed database lookup services are running
       on  your system, which databases are being served by them,
       and in what order to query them. After  configuring  BIND,
       you  must  edit the /etc/svc.conf file to tell your system
       that you want BIND  servers  queried  for  host  name  and
       address  information.   For  information  on  editing  the
       /etc/svc.conf file, see the  svc.conf(4)  and  svcsetup(8)
       reference  pages  and the Network Administration: Services
       manual.
       Commands:    bindconfig(8),    dnskeygen(1),     named(8),
       nslookup(8), svcsetup(8)
       Files: named.conf(4), resolv.conf(4), svc.conf(4)
       Networking: bind_intro(7)
       Network Administration: Services
                                             bind_manual_setup(7)
[ Back ] |