Before we introduce the new features, however, we’d better cover address match lists. BIND 8 and 9 use address match lists for nearly every security feature and for some features that aren’t security-related at all.

An address match list is a list (what else?) of terms that specifies one or more IP addresses. The elements in the list can be individual IP addresses, IP prefixes, or a named address match list (more on those shortly).^[*] An IP prefix has the format:

network in dotted-octet format/bits in netmask

For example, the network 15.0.0.0 with the network mask 255.0.0.0 (eight contiguous ones) is written 15/8. Traditionally, this would have been thought of as the “class A” network 15. The network consisting of IP addresses 192.168.1.192 through 192.168.1.255, on the other hand, would be written 192.168.1.192/26 (network 192.168.1.192 with the netmask 255.255.255.192, which has 26 contiguous ones). Here’s an address match list comprising those two networks:

15/8; 192.168.1.192/26;

A named address match list is just that: an address match list with a name. To be used within another address match list, a named address match list must have been previously defined in named.conf with an acl statement. The acl statement has a simple syntax:

acl name { address_match_list; };

This just makes the name equivalent to that address match list from now on. Although the name of the statement, acl, suggests “access control list,” you can use the named address match list anywhere an address match list is accepted, including some places that don’t have anything to do with access control.

Whenever you use one or more of the same terms in a few access control lists, it’s a good idea to use an acl statement to associate them with a name. You can then refer to the name in the address match list. For example, let’s call 15/8 what it is: “HP-NET.” And we’ll call 192.168.1.192/26 “internal”:

acl "HP-NET" { 15/8; };

acl "internal" { 192.168.1.192/26; };

Now we can refer to these address match lists by name in other address match lists. This not only cuts down on typing and simplifies managing your address match lists, it makes the resulting named.conf file more readable.

We prudently enclosed the names of our ACLs in quotes to avoid collisions with words BIND reserves for its own use. If you’re sure your ACL names don’t conflict with reserved words, you don’t need the quotes.

There are four predefined named address match lists:

The world of the Internet—and of TCP/IP networking in general—has become a much more dynamic place. Most large corporations use DHCP to control IP address assignment. Nearly all ISPs assign addresses to dial-up and cable modem customers using DHCP. To keep up, DNS needed to support the dynamic addition and deletion of records. RFC 2136 introduced this mechanism, called DNS Dynamic Update.

BIND 8 and 9 support the dynamic update facility described in RFC 2136. This permits authorized updaters to add and delete resource records from a zone for which a nameserver is authoritative. An updater can find the authoritative nameservers for a zone by retrieving the zone’s NS records. If the nameserver receiving an authorized update message is not the primary master for the zone, it forwards the update “upstream” to its master server, a process referred to as update forwarding. If this next server, in turn, is a slave for the zone, it also forwards the update upstream. Only the primary nameserver for a zone, after all, has a writable copy of the zone data; all the slaves get their copies of the zone data from the primary, either directly or indirectly (through other slaves). Once the primary has processed the dynamic update and modified the zone, the slaves can get a new copy of it via zone transfers.

Dynamic update permits more than the simple addition and deletion of records. Updaters can add or delete individual resource records, delete RRsets (a set of resource records with the same domain name, class, and type, such as all the addresses of www.movie.edu), or even delete all records associated with a given domain name. An update can also stipulate that certain records exist or not exist in the zone as a prerequisite to the update’s taking effect. For example, an update can add the address record:

armageddon.fx.movie.edu.  300  IN  A  192.253.253.15

only if the domain name armageddon.fx.movie.edu isn’t currently being used or only if armageddon.fx.movie.edu currently has no address records.

For the most part, dynamic update functionality is used by programs such as DHCP servers that assign IP addresses automatically to computers and then need to register the resulting name-to-address and address-to-name mappings. Some of these programs use the new ns_update() resolver routine to create update messages and send them to an authoritative server for the zone that contains the domain name.

It’s also possible to create updates manually with the command-line program nsupdate, which is part of the standard BIND distribution. nsupdate reads one-line commands and translates them into an update message. Commands can be specified on standard input (the default) or in a file, whose name must be given as an argument to nsupdate. Commands not separated by a blank line are incorporated into the same update message, as long as there’s room.

nsupdate understands the following commands:

So, for example, the command:

%nsupdate
> prereq nxdomain mib.fx.movie.edu.
> update add mib.fx.movie.edu. 300 A 192.253.253.16
> send

tells the server to add an address for mib.fx.movie.edu only if the domain name does not already exist. Note that BIND 8 versions of nsupdate before 8.4.5 use a blank line as a cue to send the update instead of the send command. Subtle, eh?

The following command checks to see whether mib.fx.movie.edu already has MX records and, if it does, deletes them and adds two in their place:

%nsupdate
> prereq yxrrset mib.fx.movie.edu. MX
> update delete mib.fx.movie.edu. MX
> update add mib.fx.movie.edu. 600 MX 10 mib.fx.movie.edu.
> update add mib.fx.movie.edu. 600 MX 50 postmanrings2x.movie.edu.
> send

As with queries, the nameservers that process dynamic updates answer them with DNS messages that indicate whether the update was successful and, if not, what went wrong. Updates may fail for many reasons: for example, because the nameserver wasn’t actually authoritative for the zone being updated, because a prerequisite wasn’t satisfied, or because the updater wasn’t allowed.

There are some limitations to what you can do with dynamic update: you can’t delete a zone entirely (though you can delete everything in it except the SOA record and one NS record), and you can’t add new zones.

;BIND LOG V8
[DYNAMIC_UPDATE] id 8761 from [192.249.249.3].1148 at 971389102 (named pid 17602):
zone:   origin movie.edu class IN serial 2000010957
update: {add} almostfamous.movie.edu. 600 IN A 192.249.249.215

zone "fx.movie.edu" {
    type master;
    file "db.fx.movie.edu";
    allow-update { 192.253.253.100; }; // just our DHCP server
};

zone "fx.movie.edu" {
    type slave;
    file "bak.fx.movie.edu";
    allow-update-forwarding { 192.253.254/24; };
};

zone "fx.movie.edu" {
    type master;
    file "db.fx.movie.edu";
    allow-update { key dhcp-server.fx.movie.edu.; }; // allow only updates
                                                     // signed by the DHCP
                                                     // server's TSIG key
};

(grant | deny) identity nametype string [types]

zone "fx.movie.edu" {
    type master;
    file "db.fx.movie.edu";
    update-policy { grant mummy.fx.movie.edu. self mummy.fx.movie.edu.; };
};

zone "fx.movie.edu" {
    type master;
    file "db.fx.movie.edu";
    update-policy { grant mummy.fx.movie.edu. self mummy.fx.movie.edu. A; };
};

zone "fx.movie.edu" {
    type master;
    file "db.fx.movie.edu";
    update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; };
};

zone "fx.movie.edu" {
    type master;
    file "db.fx.movie.edu";
    update-policy {
        grant dhcp-server.fx.movie.edu. wildcard *.fx.movie.edu. A TXT PTR;
    };
};

grant dhcp-server.fx.movie.edu. subdomain fx.movie.edu.

grant dhcp-server.fx.movie.edu. wildcard *.fx.movie.edu.

zone "fx.movie.edu" {
    type master;
    file "db.fx.movie.edu";
    update-policy {
        grant matrix.fx.movie.edu. subdomain _udp.fx.movie.edu. SRV CNAME A;
        grant matrix.fx.movie.edu. subdomain _tcp.fx.movie.edu. SRV CNAME A;
        grant matrix.fx.movie.edu. subdomain _sites.fx.movie.edu. SRV CNAME A;
        grant matrix.fx.movie.edu. subdomain _msdcs.fx.movie.edu. SRV CNAME A;
        deny *.fx.movie.edu. self *.fx.movie.edu. SRV;
        grant *.fx.movie.edu. self *.fx.movie.edu. ANY;
    };
};

Traditionally, BIND slaves have used a polling scheme to determine when they need a zone transfer. The polling interval is called the refresh interval. Other parameters in the zone’s SOA record govern other aspects of the polling mechanism.

But with this polling scheme, it can take up to the refresh interval before a slave detects and transfers new zone data from its master nameserver. That kind of latency can wreak havoc in a dynamically updated environment. Wouldn’t it be nice if the primary nameserver could tell its slave servers when the information in the zone changed? After all, the primary nameserver knows the data has changed; someone reloaded the data or it received and processed a dynamic update. The primary could send notification right after processing the reload or update instead of waiting for the refresh interval to pass.^[*]

RFC 1996 proposed a mechanism that would allow primary nameservers to notify their slaves of changes to a zone’s data. BIND 8 and 9 implement this scheme, which is called DNS NOTIFY.

DNS NOTIFY works like this: when a primary nameserver notices that the serial number of a zone has changed, it sends a special announcement to all the slave nameservers for that zone. The primary nameserver determines which servers are the slaves for the zone by looking at the list of NS records in the zone and taking out the record that points to the nameserver listed in the MNAME field of the zone’s SOA record as well as the domain name of the local host.

When does the nameserver notice a change? Restarting a primary nameserver causes it to notify all its slaves as to the current serial number of all of its zones because the primary has no way of knowing whether its zone datafiles were edited before it started. Reloading one or more zones with new serial numbers causes a nameserver to notify the slaves of those zones. And a dynamic update that causes a zone’s serial number to increment also causes notification.

The special NOTIFY announcement is identified by its opcode in the DNS header. The opcode for most queries is QUERY. NOTIFY messages, including announcements and responses, have a special opcode, NOTIFY (duh). Other than that, NOTIFY messages look very much like a response to a query for a zone’s SOA record: they include the SOA record of the zone whose serial number has changed, and the authoritative answer bit is set.

When a slave receives a NOTIFY announcement for a zone from one of its configured master nameservers, it responds with a NOTIFY response. The response tells the master that the slave received the NOTIFY announcement so that the master can stop sending it NOTIFY announcements for the zone. The slave then proceeds just as if the refresh timer for that zone had expired: it queries the master nameserver for the SOA record for the zone that the master claims has changed. If the serial number is higher, the slave transfers the zone.

Why doesn’t the slave simply take the master’s word that the zone has changed? It’s possible that a miscreant could forge NOTIFY announcements to slaves, causing lots of unnecessary zone transfers and amounting to a denial-of-service attack against a master nameserver.

If the slave actually transfers the zone, RFC 1996 says that it should issue its own NOTIFY announcements to the other authoritative nameservers for the zone. The idea is that the primary master may not be able to notify all the slave nameservers for the zone itself because it’s possible some slaves can’t communicate directly with the primary (they use another slave as their master). However, while BIND 8.2.3 and later and all BIND 9 nameservers implement this, earlier versions of BIND 8 don’t. Older BIND 8 slaves don’t send NOTIFY messages unless explicitly configured to do so.

Here’s how that works in practice. On our network, toystory.movie.edu is the primary nameserver for movie.edu, and wormhole.movie.edu and zardoz.movie.edu are slaves, as shown in Figure 10-1.

Figure 10-1. movie.edu zone transfers

When we edit and reload or dynamically update movie.edu on toystory.movie.edu , toystory.movie.edu sends NOTIFY announcements to wormhole.movie.edu and zardoz.movie.edu . Both slaves respond to toystory.movie.edu , telling it that they’ve received the notification. They then check to see whether movie.edu’s serial number has incremented and, when they find it has, perform a zone transfer. If wormhole.movie.edu and zardoz.movie.edu are running BIND 8.2.3 or later or BIND 9, after they transfer the new version of the zone, they also send NOTIFY announcements to tell each other about the change. But since wormhole.movie.edu isn’t zardoz.movie.edu ’s master nameserver for movie.edu, and the converse isn’t true either, both slaves just ignore each other’s NOTIFY announcements.

BIND nameservers log information about NOTIFY messages to syslog. Here’s what BIND 8 running on toystory.movie.edu logged after we reloaded movie.edu:

Oct 14 22:56:34 toystory named[18764]: Sent NOTIFY for "movie.edu IN
SOA 2000010958" (movie.edu); 2 NS, 2 A
Oct 14 22:56:34 toystory named[18764]: Received NOTIFY answer (AA) from
192.249.249.1 for "movie.edu IN SOA"
Oct 14 22:56:34 toystory named[18764]: Received NOTIFY answer (AA) from
192.249.249.9 for "movie.edu IN SOA"

The first message shows us the NOTIFY announcement that toystory.movie.edu sent, informing the two slaves (2 NS) that the serial number of movie.edu is now 2000010958. The next two lines show the slave nameservers confirming their receipt of the notification.

A BIND 9 nameserver would have logged just:

Oct 14 22:56:34 toystory named[18764]: zone movie.edu/IN: sending notifies
(serial 2000010958)

Let’s also look at a more complicated zone transfer scheme. In Figure 10-2, a is the primary nameserver for the zone and b’s master server, but b is c’s master server. Moreover, b has two network interfaces.

Figure 10-2. Complex zone transfer example

In this scenario, a notifies both b and c after the zone is updated. Then b checks to see whether the zone’s serial number has incremented and initiates a zone transfer. However, c ignores a’s NOTIFY announcement because a is not c’s configured master nameserver (b is). If b is running BIND 8.2.3 or later, or BIND 9, or is explicitly configured to notify c, then after b’s zone transfer completes, it sends a NOTIFY announcement to c, which prompts c to check the serial number b holds for the zone. If c is also running BIND 8.2.3 or later or BIND 9, it sends b a NOTIFY announcement after its zone transfer finishes, which b, naturally, ignores.

Note also that if there’s any possibility that c will receive a NOTIFY announcement from b’s other network interface, c must be configured with both network interfaces’ addresses in the zone’s masters substatement, or else c will ignore NOTIFY announcements from the unknown interface.

BIND 4 slave nameservers and other nameservers that don’t support NOTIFY will respond with a Not Implemented (NOTIMP) error. Note that the Microsoft DNS Server does support DNS NOTIFY.

In both BIND 8 and 9, DNS NOTIFY is on by default, but you can turn off NOTIFY globally with the substatement:

options {
    notify no;
};

You can also turn on or off NOTIFY for a particular zone. For example, say we know that all the slave nameservers for our fx.movie.edu zone are running BIND 4 and therefore don’t understand NOTIFY announcements. The zone statement:

zone "fx.movie.edu" {
    type master;
    file "db.fx.movie.edu";
    notify no;
};

avoids sending useless NOTIFY announcements to the slaves for fx.movie.edu. A zone-specific NOTIFY setting overrides any global setting for that zone. Unfortunately, neither BIND 8 nor BIND 9 allows you to turn off NOTIFY announcements on a server-by-server basis.

BIND 8 and 9 even have a provision for adding servers besides those in your zone’s NS records to your “NOTIFY list.” For example, you may have one or more unregistered slave nameservers (described in Chapter 8), and you’d like them to pick up changes to the zone quickly. Or you may have an older BIND 8 slave for the zone that is the master server for another slave and needs to send NOTIFY messages to the slave.

To add a server to your NOTIFY list, use the also-notify substatement of the zone statement:

zone "fx.movie.edu" {
    type slave;
    file "bak.fx.movie.edu";
    notify yes;
    also-notify { 15.255.152.4; }; // This is a BIND 8 slave, which
                                   // must be explicitly configured
                                   // to notify its slave
};

In BIND 8.2.2 and later nameservers, you can specify also-notify as an options substatement as well. This applies to all zones for which NOTIFY is on (and which don’t have their own also-notify substatements).

Beginning in BIND 8.3.2 and 9.1.0, you can specify explicit as an argument to the notify substatement; this suppresses NOTIFY messages to all nameservers except those in the also-notify list. For example, these two substatements tell the nameserver to send NOTIFY messages only to the slave at 192.249.249.20:

options {
    also-notify { 192.249.249.20; };
    notify explicit;
};

You can also use the allow-notify substatement to tell your nameserver to accept NOTIFY messages from nameservers other than just the configured master nameservers for a zone:

options {
    allow-notify { 192.249.249.17; }; // let 192.249.249.17 send NOTIFY msgs
};

As an options substatement, allow-notify affects all slave zones. When specified as a zone substatement, allow-notify overrides any global allow-notify for just that zone.

With dynamic update and NOTIFY, our zones are updated according to the changing state of the network, and those changes quickly propagate to all the authoritative nameservers for those zones. The picture’s complete, right?

Not quite. Imagine you run a large zone that’s dynamically updated with frightening frequency. That’s easy to envision: you might have a big zone to begin with, including thousands of clients, when all of a sudden management decides to implement Active Directory and DHCP. Now each of your clients updates its own address record in the zone, and the Domain Controllers update the records that tell clients which services they run. (There’s much more to come on Active Directory in Chapter 17.)

Each time your primary nameserver receives an update that increments the zone’s serial number, it sends a NOTIFY announcement to its slaves. And each time they receive NOTIFY announcements, the slaves check the serial number of the zone on their master server and, possibly, transfer the zone. If that zone is large, the transfer will take some time; another update could arrive in the interim. Your slaves could be transferring zones in perpetuity! At the very least, your nameservers will spend a lot of time transferring the whole zone when the change to the zone is probably very small (e.g., the addition of a client’s address record).

Incremental zone transfer, or IXFR for short, solves this problem by allowing slave nameservers to tell their master servers which version of a zone they currently hold and to request just the changes to the zone between that version and the current one. This can dramatically reduce the size and duration of a zone transfer.

An incremental zone transfer request has a query type of IXFR instead of AXFR (the type of query that initiates a full zone transfer), and it contains the slave’s current SOA record from the zone in the authority section of the message. When the master nameserver receives an incremental zone transfer request, it looks for the record of the changes to the zone between the slave’s version of the zone and the version the master holds. If that record is missing, the master sends a full zone transfer. Otherwise, it sends just the differences between the versions of the zone.

options {
    directory "/var/named";
    ixfr-from-differences yes;
};

% rndc freeze zone [class [view]]

% rndc thaw zone [class [view]]

options {
    directory "/var/named";
    maintain-ixfr-base yes;
};

server 192.249.249.3 {
    support-ixfr yes;
};

zone "movie.edu" {
    type master;
    file "db.movie.edu";
    ixfr-base "ixfr.movie.edu";
};

options {
    directory "/var/named";
    maintain-ixfr-base yes;
    max-ixfr-log-size 1M;     // trim IXFR log to 1 megabyte
};

server 192.249.249.1 {
    provide-ixfr no;
};

options {
    directory "/var/named";
    request-ixfr no;
};

server 192.249.249.3 {
    request-ixfr yes;     // of our masters, only toystory supports IXFR
};

Certain network connections discourage sending large volumes of traffic off-site, perhaps because it’s a slow link with high delay; a remote office’s satellite connection to the company’s network is an example. In these situations, you’ll want to limit the off-site DNS traffic to the bare minimum. BIND provides a mechanism to do this: forwarders.

Forwarders are also useful if you need to shunt name resolution to a particular nameserver. For example, if only one of the hosts on your network has Internet connectivity, and you run a nameserver on that host, you can configure your other nameservers to use it as a forwarder so that they can look up Internet domain names. (More on this use of forwarders when we discuss firewalls in Chapter 11.)

If you designate one or more servers at your site as forwarders, your nameservers will send all their off-site queries to the forwarders first. The idea is that the forwarders handle all the off-site queries generated at the site, building up a rich cache of information. For any given query in a remote zone, there is a high probability that the forwarder can answer the query from its cache, avoiding the need for the other servers to send queries off-site. You don’t do anything to a nameserver to make it a forwarder; you modify all the other servers at your site to direct their queries through the forwarders.

A primary or slave nameserver’s mode of operation changes slightly when it is configured to use a forwarder. If a resolver requests records that are already in the nameserver’s authoritative data or cached data, the nameserver answers with that information; this part of its operation hasn’t changed. However, if the records aren’t in its database, the nameserver sends the query to a forwarder and waits a short period for an answer before resuming normal operation and starting the iterative name resolution process. This mode of operation is called forward first. What the nameserver is doing differently here is sending a recursive query to the forwarder, expecting it to find the answer. At all other times, the nameserver sends out only nonrecursive queries to other nameservers.

For example, here is the BIND 8 and 9 forwarders substatement for nameservers in movie.edu. Both wormhole.movie.edu and toystory.movie.edu are the site’s forwarders. We add this forwarders substatement to every nameserver’s configuration file except the ones for the forwarders themselves:

options {
    forwarders { 192.249.249.1; 192.249.249.3; };
};

When you use forwarders, try to keep your site configuration simple. You could end up with configurations that are really twisted.

options {
    forwarders { 192.249.249.1; 192.249.249.3; };
    forward only;
};

options {
    forwarders { 192.249.249.1; 192.249.249.3;
        192.249.249.1; 192.249.249.3; };
    forward only;
};

zone "pixar.com" {
    type forward;
    forwarders { 138.72.10.20; 138.72.30.28; };
};

options {
    directory "/var/named";
    forwarders { 192.249.249.3; 192.249.249.1; };
};

zone "movie.edu" {
    type slave;
    masters { 192.249.249.3; };
    file "bak.movie.edu";
    forwarders {};
};

BIND 9 introduced views, another mechanism that’s very useful in firewalled environments. Views allow you to present one nameserver configuration to one community of hosts and a different configuration to another community. This is particularly handy if you’re running a nameserver on a host that receives queries from both your internal hosts and hosts on the Internet (we’ll cover this in the next chapter).

If you don’t configure any views, BIND 9 automatically creates a single, implicit view that it shows to all hosts that query it. To explicitly create a view, you use the view statement, which takes the name of the view as an argument:

view "internal" {
};

Although the name of the view can be just about anything, using a descriptive name is always a good idea. And while quoting the name of the view isn’t necessary, it’s helpful to do so to avoid conflict with words BIND reserves for its own use (“internal,” for example). The view statement must come after any options statement, though not necessarily right after it.

You can select which hosts “see” a particular view using the match-clients view substatement, which takes an address match list as an argument. If you don’t specify a community of hosts with match-clients, the view applies to all hosts.

Let’s say we’re setting up a special view of the fx.movie.edu zone on our nameservers that we want only the Special Effects department to see. We could create a view visible only to hosts on our subnet:

view "internal" {
    match-clients { 192.253.254/24; };
};

If you want to make that a little more readable, you can use an acl statement:

acl "fx-subnet" { 192.253.254/24; };

view "internal" {
    match-clients { "fx-subnet"; };
};

Just be sure you define the ACL outside the view because you can’t use acl statements inside views.

You can also specify who sees a view using the match-destinations view substatement, which, like match-clients, takes an address match list as an argument. match-destinations applies to nameservers with multiple IP addresses: clients querying one of a server’s IP address, might see one view, while those querying another address see a different view. match-clients and match-destinations can be used in combination, too, to select queries from a particular client and those sent to a particular address. There’s even a match-recursive-only Boolean substatement that will let you select only recursive or nonrecursive queries.

What can you put inside a view statement? Almost anything (well, except for acl statements). You can define zones with zone statements, describe remote nameservers with server statements, and configure TSIG keys with key statements. You can use most options substatements within a view, but if you do, don’t enclose them in an options statement; just use them “raw” in the view statement:

acl "fx-subnet" { 192.253.254/24; };

view "internal" {
    match-clients { "fx-subnet"; };
    recursion yes;  // turn recursion on for this view
                    // (it's off globally, in the options statement)
};

Any configuration option you specify within a view overrides the like-named global option (e.g., one in the options statement) for hosts that match match-clients.

For a complete list of what’s supported inside the view statement on the version of BIND 9 you run (because it changes from release to release), see the file doc/misc/options in the BIND distribution.

To give you an idea of the power of views, here’s the Special Effects lab’s full named.conf file:

options {
    directory "/var/named";
};

acl "fx-subnet" { 192.253.254/24; };

view "internal" {  // internal view 
 of our zones

    match-clients { "fx-subnet"; };

    zone "fx.movie.edu" {
        type master;
        file "db.fx.movie.edu";
    };

    zone "254.253.192.in-addr.arpa" {
        type master;
        file "db.192.253.254";
    };
};

view "external" {  // view of our zones for the rest of the world

    match-clients { any; };  // implicit
    recursion no;            // outside of our subnet, they shouldn't be
                             // requesting recursion
    zone "fx.movie.edu" {
        type master;
        file "db.fx.movie.edu.external";  // external zone datafile
    };

    zone "254.253.192.in-addr.arpa" {
        type master;
        file "db.192.253.254.external";   // external zone datafile
    };
};

Notice that each view has an fx.movie.edu and a 254.253.192.in-addr.arpa zone, but the zone datafiles are different in the internal and external views. This allows us to show the outside world a different “face” than we see internally.

The order of the view statements is important because the first view that a host’s IP address matches is the one that dictates what it sees. If the external view were listed first in the configuration file, it would occlude the internal view because the external view matches all addresses.

One last note on views (before we use them in the next chapter, anyway): if you configure even one view statement, all your zone statements must appear within explicit views.

Nameservers released since BIND 4.9 have formalized some load distribution functionality that has existed in patches to BIND for some time. Bryan Beecher wrote patches to BIND 4.8.3 to implement what he called “shuffle address records.” These were address records of a special type that the nameserver rotated between responses. For example, if the domain name foo.bar.baz had three “shuffled” IP addresses, 192.168.1.1, 192.168.1.2, and 192.168.1.3, an appropriately patched nameserver would give them out first in the order:

192.168.1.1 192.168.1.2 192.168.1.3

then in the order:

192.168.1.2 192.168.1.3 192.168.1.1

and then in the order:

192.168.1.3 192.168.1.1 192.168.1.2

before starting all over with the first order and repeating the rotation ad infinitum.

This functionality is enormously useful if you have a number of equivalent network resources, such as mirrored FTP servers, web servers, or terminal servers, and you’d like to spread the load among them. You establish one domain name that refers to the group of resources and configure clients to access that domain name, and the nameserver distributes requests among the IP addresses you list.

BIND 8 and 9 do away with the shuffle address record as a separate record type, subject to special handling. Instead, a modern nameserver rotates addresses for any domain name that has more than one A record. (In fact, the nameserver will rotate any type of record as long as a given domain name has more than one of them.)^[*] So the records:

foo.bar.baz.    60    IN    A    192.168.1.1
foo.bar.baz.    60    IN    A    192.168.1.2
foo.bar.baz.    60    IN    A    192.168.1.3

accomplish on a BIND 8 or 9 nameserver just what the shuffle address records did on a patched 4.8.3 server. The BIND documentation calls this process round-robin.

It’s a good idea to reduce the records’ time to live, too, as we did in this example. This ensures that if the addresses are cached on an intermediate nameserver that doesn’t support round-robin, they’ll time out of the cache quickly. If the intermediate nameserver looks up the name again, your authoritative nameserver can round-robin the addresses again.

Note that this is really load distribution, not load balancing, because the nameserver gives out the addresses in a completely deterministic way without regard to the actual load or capacity of the servers servicing the requests. In our example, the server at address 192.168.1.3 could be a 486DX33 running Linux and the other two servers HP9000 Superdomes, and the Linux box would still get a third of the queries. Listing a higher-capacity server’s address multiple times won’t help because BIND eliminates duplicate records.

foo1.bar.baz.   60   IN   A   192.168.1.1
foo2.bar.baz.   60   IN   A   192.168.1.2
foo3.bar.baz.   60   IN   A   192.168.1.3
foo.bar.baz.    60   IN   CNAME   foo1.bar.baz.
foo.bar.baz.    60   IN   CNAME   foo2.bar.baz.
foo.bar.baz.    60   IN   CNAME   foo3.bar.baz.

options {
    multiple-cnames yes;
};

options {
    rrset-order {
        class IN type A name "www.movie.edu" order fixed;
    };
};

options {
    rrset-order {
        order random;
    };
};

options {
    rrset-order {
        type A name "*.movie.edu" order cyclic;
    };
};

options {
    rrset-order {
        class IN type ANY name "*" order cyclic;
    };
};

Sometimes, neither round-robin nor any other configurable order is what you want. When you are contacting a host that has multiple network interfaces and hence multiple IP addresses, choosing a particular interface based on your host’s address may give you better performance. No rrset-order substatement can do that for you.

If the multihomed host is local and shares a network or subnet with your host, one of the multihomed host’s addresses is “closer.” If the multihomed host is remote, you may see better performance using one interface instead of another, but often it doesn’t matter much which address is used. In days long past, net 10 (the former ARPAnet “backbone”) was always closer than any other remote address. The Internet has improved drastically since those days, so you won’t often see a marked performance improvement when using one network over another for remote multihomed hosts, but we’ll cover that case anyway.

Before we get into address sorting by a nameserver, you should first look at whether address sorting by the resolver better suits your needs. (See the section "The sortlist Directive" in Chapter 6.) Since your resolver and nameserver may be on different networks, it often makes more sense for the resolver to sort addresses optimally for its host. Address sorting at the nameserver works fairly well, but it can be hard to optimize for every resolver it services.

In an uncommon turn of events, the nameserver’s address-sorting feature was removed in early versions of BIND 8, primarily because of the developers’ insistence that it had no place in the nameserver. The feature was restored—and in fact enhanced—in BIND 8.2. BIND 9.1.0 was the first BIND 9 release to support address sorting.

The key to address sorting is an options substatement called sortlist. The sortlist substatement takes an address match list as an argument. Unlike address match lists used as access control lists, though, sortlist’s has a very specialized interpretation. Each entry in the address match list is itself an address match list with either one or two elements.

If an entry has only one element, it’s used to check the IP address of a querier. If the querier’s address matches, then the nameserver sorts addresses in a response to that querier so that any addresses that match the element are first. Confusing? Here’s an example:

options {
    sortlist {
        { 192.249.249/24; };
    };
};

The only entry in this sort list has just one element. This sort list sorts addresses on the network 192.249.249/24 to the beginning of responses to queriers that are also on that network. So if the client at 192.249.249.101 looks up a domain name that owns two addresses, 192.249.249.87 and 192.253.253.87, the nameserver will sort 192.249.249.87 to the beginning of the response.

If an entry has two elements, the first element is used to match the IP address of a querier. If the querier’s address matches, the nameserver sorts addresses in a response to that querier so that any addresses that match the second element come first. The second element can actually be a whole address match list of several elements, in which case the first address added to the response is the one that matches first in the list. Here’s a simple example:

options {
    sortlist {
        { 192.249.249/24; { 192.249.249/24; 192.253.253/24; }; };
    };
};

This sort list applies to queriers on 192.249.249/24 and sends them addresses on their own network first, followed by addresses on 192.253.253/24.

The elements in the sort list specification can just as easily be subnets or even individual hosts:

options {
    sortlist {
        { 15.1.200/21;       // if the querier is on 15.1.200/21
            { 15.1.200/21;   // then prefer addresses on that subnet
            15/8; };         // or at least on 15/8
        };
    };
};

BIND 8’s topology feature is somewhat similar to sortlist, but it applies only to the process of choosing nameservers. (BIND 9 doesn’t support topology as of 9.3.2.) Earlier in the book, we described how BIND chooses between a number of nameservers that are authoritative for the same zone by selecting the nameserver with the lowest round-trip time. But we lied—a little. BIND 8 actually places remote nameservers in 64-millisecond bands when comparing RTT. The first band is actually only 32 milliseconds wide (there! we did it again), from 0 to 32 milliseconds. The next extends from 33 to 96 milliseconds, and so on. The bands are designed so that nameservers on different continents are always in different bands.

The idea is to favor nameservers in lower bands but to treat servers in the same band as equivalent. If a nameserver compares two remote servers’ RTTs, and one is in a lower band, the nameserver chooses to query the nameserver in the lower band. But if the remote servers are in the same band, the nameserver checks to see whether one of the remote servers is topologically closer.

So topology lets you introduce an element of fudge into the process of choosing a nameserver to query. It lets you favor nameservers on certain networks over others. Topology takes as an argument an address match list, where the entries are networks, listed in the order in which the local nameserver should prefer them (highest to lowest). Therefore:

topology {
    15/8;
    172.88/16;
};

tells the local nameserver to prefer nameservers on the network 15/8 over other nameservers, and nameservers on the network 172.88/16 over nameservers on networks other than 15/8. So if the nameserver has a choice between a nameserver on network 15/8, a nameserver on 172.88/16, and a nameserver on 192.168.1/24, assuming all three have RTT values in the same band, it will choose to query the nameserver on 15/8.

You can also negate entries in the topology address match list to penalize nameservers on certain networks. The earlier in the address match list the negated entry matches, the greater the penalty. You might use this to keep your nameserver from querying remote nameservers on a network that’s particularly flaky, for example.

By default, BIND resolvers send recursive queries, and, by default, BIND nameservers do the work required to answer them. (If you don’t remember how recursion works, see Chapter 2.) In the process of finding the answers to recursive queries, the nameserver builds up a cache of nonauthoritative information from other zones.

In some situations, it’s undesirable for nameservers to do the extra work required to answer a recursive query or to build up a cache of data. The root nameservers are an example of one of these situations. The root nameservers are so busy that they can’t expend the extra effort necessary to find the answers to recursive queries. Instead, they send a response based only on the authoritative data they have. The response may contain the answer, but it more likely contains a referral to other nameservers. And since the root servers do not support recursive queries, they don’t build up a cache of nonauthoritative data, which is good because their caches would be huge.^[*]

You can induce a BIND nameserver to run in nonrecursive mode with the following configuration (config) file statement:

options {
    recursion no;
};

Now the server will respond to recursive queries as if they were nonrecursive.

In conjunction with recursion no, there is one more configuration option necessary if you want to prevent your nameserver from building a cache:

options {
    fetch-glue no;
};

This stops the server from fetching missing glue when constructing the additional data section of a response. BIND 9 nameservers don’t fetch glue, so the fetch-glue substatement is obsolete in BIND 9.

If you choose to make one of your servers nonrecursive, don’t list that nameserver in any host’s resolv.conf file. While you can make your nameserver nonrecursive, there is no corresponding option to make your resolver work with a nonrecursive nameserver.^[*] If your nameserver needs to continue to serve one or more resolvers, you can use the allow-recursion substatement, available in BIND 8.2.1 and later (including BIND 9). allow-recursion takes an address match list as an argument; any queriers that match can send recursive queries, but everyone else is treated as if recursion were off:

options {
    allow-recursion { 192.253.254/24; };  // Only resolvers on the FX
                                          // subnet should be sending
                                          // recursive queries
};

allow-recursion’s default is to provide recursion to any IP address.

Also, don’t list a nonrecursive nameserver as a forwarder. When a nameserver is using another server as a forwarder, it forwards recursive queries to the forwarder. Use allow-recursion to permit just authorized nameservers to use your forwarder instead.

You can list a nonrecursive nameserver as one of the servers authoritative for your zone data (i.e., you can tell a parent nameserver to refer queries about your zone to this server). This works because nameservers send nonrecursive queries between themselves.

In your term as nameserver administrator, you might find some remote nameserver that responds with bad information—old, incorrect, badly formatted, or even deliberately deceptive. You can attempt to find an administrator to fix the problem. Or you can save yourself some grief and configure your nameserver not to ask questions of this server, which is possible with BIND 8, and BIND 9.1.0 and later. Here is the configuration file statement:

server 10.0.0.2 {
    bogus yes;
};

Of course, you fill in the correct IP address.

If you tell your nameserver to stop talking to a server that is the only server for a zone, don’t expect to be able to look up names in that zone. Hopefully, there are other servers for that zone that can provide good information.

An even more potent way of shutting out a remote nameserver is to put it on your blackhole list. Your nameserver won’t query nameservers on the list, and it won’t respond to their queries.^[*] blackhole is an options substatement that takes an address match list as an argument:

options {

    /* Don't waste your time trying to respond to queries from RFC 1918
       private addresses */

    blackhole {
        10/8;
        172.16/12;
        192.168/16;
    };
};

This prevents your nameserver from trying to respond to any queries it might receive from RFC 1918 private addresses. There are no routes on the Internet to these addresses, so trying to reply to them is a waste of CPU cycles and bandwidth.

The blackhole substatement is supported on BIND 8 versions after 8.2 and on BIND 9 after 9.1.0.

While for many nameservers BIND’s default configuration values work just fine, yours may be one of those that need some further tuning. In this section, we discuss all the various dials and switches available to you to tune your nameserver.

options {
    transfers-per-ns 
 2;
};

server 192.168.1.2 {
    transfers 2;
};

options {
    transfers-in 10;
};

options {
    transfers-out 10;
};

options {
    max-transfer-time-in 180;
};

options {
    max-transfer-time-in 60;
};

zone "rinkydink.com" {
    type slave;
    file "bak.rinkydink.com";
    masters { 192.168.1.2; };
    max-transfer-time-in 180;
};

options {
    max-refresh-time 86400;    // refresh should never be more than a day
    min-refresh-time 1800;     // or less than 30 minutes
};

options {
    transfer-format many-answers;
};

server 192.168.1.2 {
    transfer-format one-answer;
};

options {
    datasize size
};

options {
    stacksize size;
};

options {
    coresize size;
};

named[pid]: socket(SOCK_RAW): Too many open files

options {
    files number;
};

options {
    recursive-clients 5000;
};

Sep 22 02:26:11 toystory named[13979]: client 192.249.249.151#1677: no more
recursive clients: quota reached

options {
    serial-queries 1000;
};

options {
    cleaning-interval 120;
};

options {
    interface-interval 0;
};

options {
    statistics-interval 60;
};

options {
    max-ncache-ttl 3600;  // 3600 seconds is one hour
};

Now, to wrap things up, we’ll cover some configuration substatements related to your nameserver’s compatibility with resolvers and other nameservers.

The rfc2308-type1 substatement controls the format of the negative answers your nameserver sends. By default, BIND 8 and 9 nameservers include only the SOA record in a negative response from a zone. Another legitimate format for that response includes the zone’s NS records, too, but some older nameservers misinterpret such a response as a referral. If for some odd reason (odd because we can’t think of one) you want to send those NS records as well, use:

options {
    rfc2308-type1 yes;
};

rfc2308-type1 is first supported in BIND 8.2; BIND 9 doesn’t support it.

Older nameservers can also cause problems when you send them cached negative responses. Before the days of negative caching, all negative responses were, naturally, authoritative. But some nameserver implementers added a check to their servers: they’d accept only authoritative negative responses. Then, with the advent of negative caching, negative responses could be nonauthoritative. Oops!

The auth-nxdomain options substatement lets your nameserver falsely claim that a negative answer from its cache is actually authoritative, just so one of these older nameservers will believe it. By default, BIND 8 nameservers have auth-nxdomain on (set to yes); BIND 9 nameservers turn it off by default.

When some adventurous souls ported BIND 8.2.2 to Windows NT, they found they needed the nameserver to treat a carriage return and a newline at the end of a line (Windows’ end-of-line sequence) the same way it treated just a newline (Unix’s end-of-line). For that behavior, use:

options {
    treat-cr-as-space yes;
};

BIND 9 ignores this option because it always treats a carriage return and a newline the same way as a newline by itself.

Finally, if you run a BIND nameserver that’s configured as a slave to Microsoft DNS Servers with Active Directory-integrated zones, you may see an error message in syslog informing you that the zones’ serial numbers have decreased. This is a side effect of the replication mechanism Active Directory uses and isn’t cause for alarm. If you want to squelch the message, you can use BIND 9.3.0’s new multi-master zone substatement to tell your slave that the IP addresses in the masters substatement actually belong to multiple nameservers, not to multiple interfaces on a single nameserver:

zone "_msdcs.domain.com" {
    type slave;
    masters { 10.0.0.2; 10.0.0.3; };
    file "bak._msdcs.domain.com";
    multi-master yes;
};

Before we cover the next two topics, which include how domain names map to IPv6 addresses and vice versa, we’d better describe the representation and structure of IPv6 addresses. As you probably know, IPv6 addresses are 128 bits long. The preferred representation of an IPv6 address is eight groups of as many as four hexadecimal digits, separated by colons; for example:

2001:db80:0123:4567:89ab:cdef:0123:4567

The first group of hex digits (2001, in this example) represents the most significant (or highest-order) 16 bits of the address.

Groups of digits that begin with one or more zeros don’t need to be padded to four places, so you can also write the previous address as:

2001:db80:123:4567:89ab:cdef:123:4567

Each group must contain at least one digit, though, unless you’re using the :: notation. The :: notation allows you to compress sequential groups of zeros. This comes in handy when you’re specifying just an IPv6 prefix. For example:

2001:db80:dead:beef::

specifies the first 64 bits of an IPv6 address as 2001:db80:dead:beef and the remaining 64 as zeros.

You can also use :: at the beginning of an IPv6 address to specify a suffix. For example, the IPv6 loopback address is commonly written as:

::1

or 127 zeros followed by a single one. You can even use :: in the middle of an address as a shorthand for contiguous groups of zeros:

2001:db80:dead:beef::1

You can use the :: shorthand only once in an address, since more than one could be ambiguous.

IPv6 prefixes are specified in a format similar to IPv4’s CIDR notation. As many bits of the prefix as are significant are expressed in the standard IPv6 notation, followed by a slash and a decimal count of exactly how many significant bits there are. So the following three prefix specifications are equivalent (though obviously not equivalently terse):

2001:db80:dead:beef:0000:00f1:0000:0000/96
2001:db80:dead:beef:0:f1:0:0/96
2001:db80:dead:beef:0:f1::/96

The IPv6 equivalent of an IPv4 network number is called a global routing prefix. These are a variable number of high-order bits of the IPv6 address used to identify a particular network. All global unicast addresses have global routing prefixes that begin with the binary value 001. These are assigned by address registries or Internet service providers. The global routing prefix itself may be hierarchical, with an address registry responsible for allocating lower-order bits to various ISPs, and ISPs responsible for allocating the lowest-order bits of the prefix to its customers.

After the global routing prefix, IPv6 addresses may contain another variable number of bits that identify the particular subnet within a network, called the subnet ID. The remaining bits of the address identify a particular network interface and are referred to as the interface ID.

Here’s a diagram from RFC 3513 that shows how these parts fit together:

|         n bits         |   m bits  |       128-n-m bits         |
+------------------------+-----------+----------------------------+
| global routing prefix  | subnet ID |       interface ID         |
+------------------------+-----------+----------------------------+

According to RFC 3177, which recommends how IPv6 addresses should be allocated to sites:

Since IPv4 is relatively simple compared to IPv6, let’s cover the nameserver’s IPv4 configuration together with IPv6. BIND 8.4.0 and later and all BIND 9 nameservers can use both IPv4 and IPv6 as a transport; that is, they can send and receive queries and responses over IPv4 and IPv6. Both nameservers also support similar substatements to configure which network interfaces and ports they listen on and send queries from.

options {
    listen-on { 192.249.249/24; };
};

options {
    listen-on port 5353 { 192.249.249/24; };
};

options {
    listen-on { 192.249.249.1 port 5353; 192.253.253.1 port 1053; };
};

zone "movie.edu" {
    type slave;
    masters port 5353 { 192.249.249.1; };
    file "bak.movie.edu";
};

zone "movie.edu" {
    type slave;
    masters { 192.249.249.1 port 5353; 192.253.253.1 port 1053; };
    file "bak.movie.edu";
};

also-notify port 5353 { 192.249.249.9; 192.253.253.9; }; // zardoz's two addresses

also-notify { 192.249.249.9 port 5353; 192.249.249.1 port 1053; };

options {
    query-source address 192.249.249.1;
};

options {
    query-source address 192.249.249.1 port 53;
};

options {
    query-source address * port *;
};

options {
    transfer-source 192.249.249.1;
};

options {
    transfer-source 192.249.249.1 port 1053;
};

zone "movie.edu" {
    type slave;
    masters { 192.249.249.3; };
    file "bak.movie.edu";
    transfer-source 192.249.249.1; // always use IP address on same network
                                   // for transfers of movie.edu
};

options {
    notify-source 192.249.249.1;
};

zone "movie.edu" {
    type slave;
    masters { 192.249.249.3; };
    file "bak.movie.edu";
    notify-source 192.249.249.1 port 5353;
};

options {
    listen-on-v6 { any; };
};

options {
    listen-on-v6 port 1053 { any; };
};

options {
    transfer-source-v6 222:10:2521:1:210:4bff:fe10:d24;
};

options {
    transfer-source-v6 222:10:2521:1:210:4bff:fe10:d24 port 53;
};

options {
    notify-source-v6 222:10:2521:1:210:4bff:fe10:d24;
};

server 10.0.0.1 {
    edns no;
};

options {
    directory "/var/named";
    edns-udp-size 512;
};

ipv6-host    IN    AAAA    2001:db80:1:2:3:4:567:89ab

b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.8.b.d.1.0.0.2.ip6.arpa.

b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.8.b.d.1.0.0.2.ip6.arpa.
  IN  PTR  mash.ip6.movie.edu.

$ORIGIN movie.edu.
drunkenmaster  IN   A6   64  ::0210:4bff:fe10:0d24  subnet1.v6.movie.edu.

$ORIGIN v6.movie.edu.
subnet1  IN  A6  48  0:0:0:1::  movie-u.isp-a.net.
subnet1  IN  A6  48  0:0:0:1::  movie.isp-b.net.

$ORIGIN isp-a.net.
movie-u  IN  A6   40  0:0:21::  isp-a.rir-1.net.

$ORIGIN isp-b.net.
movie  IN  A6  40  0:0:42::  isp-b.rir-2.net.

$ORIGIN rir-1.net.
isp-a  IN  A6  36  0:0:0500::  rir-2.top-level-v6.net.

$ORIGIN rir-2.net.
isp-b   IN  A6  36  0:0:0600:: rir-1.top-level-v6.net.

$ORIGIN top-level-v6.net.
rir-1    IN    A6    0    2001:db80::2
rir-2    IN    A6    0    2001:db80::6

2001:db80:2521:1:210:4bff:fe10:d24
2001:db80:6642:1:210:4bff:fe10:d24

$TTL 1d
@    IN  SOA    toystory.movie.edu.  root.movie.edu. (
    2000102300
    3h
    30m
    30d
    1h  )

    IN   NS     toystory.movie.edu.
    IN   NS     wormhole.movie.edu.

    IN   MX     10 postmanrings2x.movie.edu.

    IN   DNAME  movie.edu.

cuckoosnest.movieu.edu.  IN  CNAME  cuckoosnest.movie.edu.

[x2001db802521000102104bfffe100d24]
[x2001db806642000102104bfffe100d24]

0.0.1.0.0.1.0.0.1.0.1.1.0.0.0.0.0.0.0.0.1.0.0.0.0.1.1.1.1.1.1.1...

$ORIGIN ip6.arpa.
[x2001db802/36]    IN     DNAME      ip6.rir-1.net.
[x2001db806/36]    IN     DNAME      ip6.rir-2.net.

[x2001db806642000102104bfffe100d24].ip6.arpa.  IN  CNAME
[x642000102104bfffe100d24].ip6.rir-2.net.

$ORIGIN ip6.rir-2.net.
[x6/4]   IN   DNAME     ip6.isp-b.net.

[x642000102104bfffe100d24].ip6.rir-2.net

[x42000102104bfffe100d24].ip6.isp-b.net

$ORIGIN ip6.isp-b.net.
[x42/8]    IN   DNAME    ip6.movie.edu.

[x000102104bfffe100d24].ip6.movie.edu

$ORIGIN ip6.movie.edu.
[x000102104bfffe100d24/80]  IN   PTR   drunkenmaster.ip6.movie.edu.