BIND 9.3.2 Release Notes (5900-1575, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

For more information on the new DNSSEC options, see named.conf(1)

• New DNSSEC statement in the options statement

BIND 9.3.2 contains trusted-keys, a new DNSSEC statement in the options statement located

in /etc/named.conf file. The trusted-keys statement defines DNSSEC security roots.

A security root is defined when the public key for a non-authoritative zone cannot be securely

obtained through DNS, either because it is the DNS root zone or because its parent zone is

unsigned. When a key is configured as a trusted key, it is treated as if it is validated and is

secure. The resolver attempts DNSSEC validation on all DNS data in the subdomains of a

security root. The trusted-keys statement can contain multiple key entries, each consisting

of the key's domain name, flags, protocol, algorithm, and the base-64 representation of the

key data. For more information on the trusted-keys statement, see named.conf(1)

Support for the ip6.arpa domain

BIND 9.3.2 uses the ip6.arpa domain for IPv6 forward lookups, instead of the ip6.int domain.

However, BIND 9.3.2 continues to support the ip6.int domain for backward compatibility.

BIND 9.3.2 also uses the ip6.arpa domain for storing IPv6 addresses in the DNS. The existing

queries that perform additional section processing to locate IPv4 addresses are redefined to perform

additional section processing on both IPv4 and IPv6 addresses.

The ip6.arpa domain is a special domain defined to look up a record given an IPv6 address.

This domain provides a method to map an IPv6 address to a host name.

An IPv6 address is represented as a name in the ip6.arpa domain by a sequence of nibbles

separated by dots with the suffix .ip6.arpa. The sequence of nibbles is encoded in reverse

order wherein the low-order nibble is encoded first, followed by the next low-order nibble and so

on. Each nibble is represented by a hexadecimal digit.

For example, consider the following IPv6 address:

4321:0:1:2:3:4:567:89ab

Following is the reverse lookup domain name in the ip6.arpa domain:

b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa.

New method of listing master servers

Starting with BIND 9.3.2, the masters statement provides a list of master name servers that can

be included in the masters clause of the zone statement.

Following is the masters statement with the new masters_list option, which specifies the

acl name of the list of master name servers:

masters name [port ip_port] {(masters_list | ip_addr [port ip_port]

[key key]); [...]};

The masters_list option specifies one or more IP addresses of master servers, which the slave

can contact to update its copy of the zone. The masters_list elements can also be names of

other master lists. This list can be used in the masters clause in the zone statement.

Following is a sample acl statement that assigns a symbolic name to an address match list:

acl acl1 {

15.70.190.186; 15.70.190.115;

};

Following is a sample zone statement with the masters clause:

zone "example.com" {

type slave;

masters {acl1;};

file "db.example";

};

6 BIND 9.3.2 Release Notes