Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

241

242

243

244

245

246

247

248

249

250

Chapter 16. Berkeley Internet Name Domain (BIND) 243

16.4.2. Multiple Views

Through the use of the view statement in /etc/named.conf, BIND allows you to conﬁgure a name-

server to answer queries for some clients in a different way than it answers them for others.

This is primarily used to deny particular types of DNS queries from clients outside of your network,

while allowing those same queries from clients on the local network.

The view statement uses the match-clients option to match IP addresses or entire networks and

give them special options and zone data.

16.4.3. Security

BIND supports a number of different methods to protect the updating and transfer of zones, on both

master and slave nameservers:

• DNSSEC — Short for DNS SECurity, this feature allows for zones to be cryptographically signed

with a zone key.

In this way, the information about a speciﬁc zone can be veriﬁed as coming from a nameserver that

has signed it with a particular private key, as long as the recipient has that nameserver’s public key.

BIND version 9 also supports the SIG(0) public/private key method of message authentication.

• TSIG — Short for Transaction SIGnatures, a shared secret key exists on the master and slave server,

verifying that a transfer from master to slave is authorized.

This feature strengthens the standard IP address-based method of transfer authorization. An attacker

would not only need to have access to the IP address to transfer the zone, but they would also need

to know the secret key.

BIND version 9 also support TKEY, which is another shared secret key method of authorizing zone

transfers.

16.4.4. IP version 6

BIND version 9 can provide nameservice in IP version 6 (IPv6) environments, through the use of A6

zone records.

If your network environment includes both IPv4 and IPv6 hosts, you should use the lwresd

lightweight resolver daemon on your network clients. This daemon is essentially a very efﬁcient,

caching-only nameserver, which understands the new A6 and DNAME records used with IPv6. See the

lwresd man page for more information.

16.5. Common Mistakes to Avoid

It is very common for beginners to make mistakes when editing BIND conﬁguration ﬁles or run in to

initial difﬁculties using named. Be sure to avoid the following problems:

• Make sure you increment the serial number when editing a zone ﬁle.

If the serial number is not incremented, your master nameserver may have the correct, new infor-

mation, but your slave nameservers will never be notiﬁed of the change or attempt to refresh their

data of that zone.

• Be careful to use ellipses and semi-colons correctly in the /etc/named.conf ﬁle.

An omitted semi-colon or unclosed ellipse section will cause named to refuse to start.