173 lines
7.1 KiB
Plaintext
173 lines
7.1 KiB
Plaintext
|
Path: vixie!vixie
|
||
|
From: vixie@vix.com (Paul A Vixie)
|
||
|
Newsgroups: comp.protocols.tcp-ip.domains
|
||
|
Subject: Re: Format of DNS files (style question)
|
||
|
Date: 28 Aug 94 03:17:08
|
||
|
Organization: Vixie Enterprises
|
||
|
Lines: 159
|
||
|
Distribution: inet
|
||
|
Message-ID: <VIXIE.94Aug28031708@office.home.vix.com>
|
||
|
References: <33onnr$i4u@zombie.ncsc.mil>
|
||
|
NNTP-Posting-Host: office.home.vix.com
|
||
|
In-reply-to: sjr@zombie.ncsc.mil's message of 27 Aug 1994 21:02:51 -0400
|
||
|
|
||
|
> (Style) Suggestions for how to layout DNS configuration files (both
|
||
|
> forward and reverse)?
|
||
|
|
||
|
I've gone back and forth on the question of whether the BOG should include a
|
||
|
section on this topic. I know what I myself prefer, but I'm wary of ramming
|
||
|
my own stylistic preferences down the throat of every BOG reader. But since
|
||
|
you ask :-)...
|
||
|
|
||
|
Create /var/named. If your system is too old to have a /var, either create
|
||
|
one or use /usr/local/adm/named instead. Put your named.boot in it, and make
|
||
|
/etc/named.boot a symlink to it. If your system doesn't have symlinks, you're
|
||
|
S-O-L (but you knew that). In named.boot, put a "directory" directive that
|
||
|
specifies your actual BIND working directory:
|
||
|
|
||
|
directory /var/named
|
||
|
|
||
|
All relative pathnames used in "primary", "secondary", and "cache" directives
|
||
|
will be evaluated relative to this directory. Create two subdirectories,
|
||
|
/var/named/pri and /var/named/sec. Whenever you add a "primary" directive
|
||
|
to your named.boot, use "pri/WHATEVER" as the path name. And then put the
|
||
|
primary zone file into "pri/WHATEVER". Likewise when you add "secondary"
|
||
|
directives, use "sec/WHATEVER" and BIND (really named-xfer) will create the
|
||
|
files in that subdirectory.
|
||
|
|
||
|
(Variations: (1) make a midlevel directory "zones" and put "pri" and "sec"
|
||
|
into it; (2) if you tend to pick up a lot of secondaries from a few hosts,
|
||
|
group them together in their own subdirectories -- something like
|
||
|
/var/named/zones/uucp if you're a UUCP Project name server.)
|
||
|
|
||
|
For your forward files, name them after the zone. dec.com becomes
|
||
|
"/var/named/zones/pri/dec.com". For your reverse files, name them after the
|
||
|
network number. 0.1.16.in-addr.arpa becomes "/var/named/zones/pri/16.1.0".
|
||
|
|
||
|
When creating or maintaining primary zone files, try to use the same SOA
|
||
|
values everywhere, except for the serial number which varies per zone. Put
|
||
|
a $ORIGIN directive at the top of the primary zone file, not because it's
|
||
|
needed (it's not since the default origin is the zone named in the "primary"
|
||
|
directive) but because it make it easier to remember what you're working on
|
||
|
when you have a lot of primary zones. Put some comments up there indicating
|
||
|
contact information for the real owner if you're proxying. Use RCS and put
|
||
|
the "$Id: style.txt,v 8.1 1995/12/22 21:59:52 vixie Exp $" in a ";" comment near the top of the zone file.
|
||
|
|
||
|
The SOA and other top level information should all be listed together. But
|
||
|
don't put IN on every line, it defaults nicely. For example:
|
||
|
|
||
|
==============
|
||
|
@ IN SOA gw.home.vix.com. postmaster.vix.com. (
|
||
|
1994082501 ; serial
|
||
|
3600 ; refresh (1 hour)
|
||
|
1800 ; retry (30 mins)
|
||
|
604800 ; expire (7 days)
|
||
|
3600 ) ; minimum (1 hour)
|
||
|
|
||
|
NS gw.home.vix.com.
|
||
|
NS ns.uu.net.
|
||
|
NS uucp-gw-1.pa.dec.com.
|
||
|
NS uucp-gw-2.pa.dec.com.
|
||
|
|
||
|
MX 10 gw.home.vix.com.
|
||
|
MX 20 uucp-gw-1.pa.dec.com.
|
||
|
MX 20 uucp-gw-1.pa.dec.com.
|
||
|
==============
|
||
|
|
||
|
I don't necessarily recommend those SOA values. Not every zone is as volatile
|
||
|
as the example shown. I do recommend that serial number format; it's in date
|
||
|
format with a 2-digit per-day revision number. This format will last us until
|
||
|
2147 A.D. at which point I expect a better solution will have been found :-).
|
||
|
(Note that it would last until 4294 A.D. except that there are some old BINDs
|
||
|
out there that use a signed quantity for representing serial number interally;
|
||
|
I suppose that as long as none of these are still running after 2047 A.D.,
|
||
|
that we can use the above serial number format until 4294 A.D., at which point
|
||
|
a better solution will HAVE to be found.)
|
||
|
|
||
|
You'll note that I use a tab stop for "IN" even though I never again specify
|
||
|
it. This leaves room for names longer than 7 bytes without messing up the
|
||
|
columns. You might also note that I've put the MX priority and destination
|
||
|
in the same tab stop; this is because both are part of the RRdata and both
|
||
|
are very different from MX which is an RRtype. Some folks seem to prefer to
|
||
|
group "MX" and the priority together in one tab stop. While this looks neat
|
||
|
it's very confusing to newcomers and for them it violates the law of least
|
||
|
astonishment.
|
||
|
|
||
|
If you have a multi-level zone (one which contains names that have dots in
|
||
|
them), you can use additional $ORIGIN statements but I recommend against it
|
||
|
since there is no "back" operator. That is, given the above example you can
|
||
|
add:
|
||
|
|
||
|
=============
|
||
|
$ORIGIN home
|
||
|
gw A 192.5.5.1
|
||
|
=============
|
||
|
|
||
|
The problem with this is that subsequent RR's had better be somewhere under
|
||
|
the "home.vix.com" name or else the $ORIGIN that introduces them will have
|
||
|
to use a fully qualified name. FQDN $ORIGIN's aren't bad and I won't be mad
|
||
|
if you use them. Unqualified ones as shown above are real trouble. I usually
|
||
|
stay away from them and just put the whole name in:
|
||
|
|
||
|
=============
|
||
|
gw.home A 192.5.5.1
|
||
|
=============
|
||
|
|
||
|
In your reverse zones, you're usually in some good luck because the owner name
|
||
|
is usually a single short token or sometimes two.
|
||
|
|
||
|
=============
|
||
|
$ORIGIN 5.5.192.in-addr.arpa.
|
||
|
@ IN SOA ...
|
||
|
NS ...
|
||
|
1 PTR gw.home.vix.com.
|
||
|
-------------
|
||
|
$ORIGIN 1.16.in-addr.arpa.
|
||
|
@ IN SOA ...
|
||
|
NS ...
|
||
|
2.0 PTR gatekeeper.dec.com.
|
||
|
=============
|
||
|
|
||
|
It is usually pretty hard to keep your forward and reverse zones in synch.
|
||
|
You can avoid that whole problem by just using "h2n" (see the ORA book, DNS
|
||
|
and BIND, and its sample toolkit, included in the BIND distribution or on
|
||
|
ftp.uu.net (use the QUOTE SITE EXEC INDEX command there to find this -- I
|
||
|
never can remember where it's at). "h2n" and many tools like it can just
|
||
|
read your old /etc/hosts file and churn it into DNS zone files. (May I
|
||
|
recommend contrib/decwrl/mkdb.pl from the BIND distribution?) However, if
|
||
|
you (like me) prefer to edit these things by hand, you need to follow the
|
||
|
simple convention of making all of your holes consistent. If you use
|
||
|
192.5.5.1 and 192.5.5.3 but not (yet) 192.5.5.2, then in your forward file
|
||
|
you will have something like
|
||
|
|
||
|
=============
|
||
|
...
|
||
|
gw.home A 192.5.5.1
|
||
|
;avail A 192.5.5.2
|
||
|
pc.home A 192.5.5.3
|
||
|
=============
|
||
|
|
||
|
and in your reverse file you will have something like
|
||
|
|
||
|
=============
|
||
|
...
|
||
|
1 PTR gw.home.vix.com.
|
||
|
;2 PTR avail
|
||
|
3 PTR pc.home.vix.com.
|
||
|
=============
|
||
|
|
||
|
This convention will allow you to keep your sanity and make fewer errors.
|
||
|
Any kind of automation (h2n, mkdb, or your own perl/tcl/awk/python tools)
|
||
|
will help you maintain a consistent universe even if it's also a complex
|
||
|
one. Editing by hand doesn't have to be deadly but you MUST take care.
|
||
|
|
||
|
Anyone who wants to know how to maintain nonleaf zones, i.e., zones which
|
||
|
have few or no hosts in them but have hundreds or thousands of delegations,
|
||
|
should attend Usenix LISA in San Diego and be there for the SENDS talk.
|
||
|
Contact office@usenix.org for conference information.
|
||
|
--
|
||
|
Paul Vixie
|
||
|
Redwood City, CA
|
||
|
decwrl!vixie!paul
|
||
|
<paul@vix.com>
|