501b1be8fa
commented out example who have either not responded, or specifically asked not to participate because they do not view AXFR as "a production service." 2. Add f.root-servers.net to the example after confirmation from Paul Vixie. 3. Add a warning to the commented out "root zone slave" example to the effect that it requires more attention than a hints file, and provides more benefit to larger sites than individual hosts. 4. Correct a typo copied from RFC 2544 which was corrected in a later errata, and confirmed in RFC 3330. Update the comment to reflect that RFC 3330 got it right and to avoid confusion down the road. 3330 also contains a reference back to 2544 for anyone interested in pursuing the history. [1] PR: conf/115573 [1] Submitted by: Oliver Fromme <olli@secnetix.de> [1] Approved by: re (kensmith)
276 lines
11 KiB
Plaintext
276 lines
11 KiB
Plaintext
// $FreeBSD$
|
|
//
|
|
// Refer to the named.conf(5) and named(8) man pages, and the documentation
|
|
// in /usr/share/doc/bind9 for more details.
|
|
//
|
|
// If you are going to set up an authoritative server, make sure you
|
|
// understand the hairy details of how DNS works. Even with
|
|
// simple mistakes, you can break connectivity for affected parties,
|
|
// or cause huge amounts of useless Internet traffic.
|
|
|
|
options {
|
|
// Relative to the chroot directory, if any
|
|
directory "/etc/namedb";
|
|
pid-file "/var/run/named/pid";
|
|
dump-file "/var/dump/named_dump.db";
|
|
statistics-file "/var/stats/named.stats";
|
|
|
|
// If named is being used only as a local resolver, this is a safe default.
|
|
// For named to be accessible to the network, comment this option, specify
|
|
// the proper IP address, or delete this option.
|
|
listen-on { 127.0.0.1; };
|
|
|
|
// If you have IPv6 enabled on this system, uncomment this option for
|
|
// use as a local resolver. To give access to the network, specify
|
|
// an IPv6 address, or the keyword "any".
|
|
// listen-on-v6 { ::1; };
|
|
|
|
// These zones are already covered by the empty zones listed below.
|
|
// If you remove the related empty zones below, comment these lines out.
|
|
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
|
|
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
|
|
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
|
|
|
|
// In addition to the "forwarders" clause, you can force your name
|
|
// server to never initiate queries of its own, but always ask its
|
|
// forwarders only, by enabling the following line:
|
|
//
|
|
// forward only;
|
|
|
|
// If you've got a DNS server around at your upstream provider, enter
|
|
// its IP address here, and enable the line below. This will make you
|
|
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
|
|
/*
|
|
forwarders {
|
|
127.0.0.1;
|
|
};
|
|
*/
|
|
/*
|
|
* If there is a firewall between you and nameservers you want
|
|
* to talk to, you might need to uncomment the query-source
|
|
* directive below. Previous versions of BIND always asked
|
|
* questions using port 53, but BIND versions 8 and later
|
|
* use a pseudo-random unprivileged UDP port by default.
|
|
*/
|
|
// query-source address * port 53;
|
|
};
|
|
|
|
// If you enable a local name server, don't forget to enter 127.0.0.1
|
|
// first in your /etc/resolv.conf so this server will be queried.
|
|
// Also, make sure to enable it in /etc/rc.conf.
|
|
|
|
// The traditional root hints mechanism. Use this, OR the slave zones below.
|
|
zone "." { type hint; file "named.root"; };
|
|
|
|
/* Slaving the following zones from the root name servers has some
|
|
significant advantages:
|
|
1. Faster local resolution for your users
|
|
2. No spurious traffic will be sent from your network to the roots
|
|
3. Greater resilience to any potential root server failure/DDoS
|
|
|
|
On the other hand, this method requires more monitoring than the
|
|
hints file to be sure that an unexpected failure mode has not
|
|
incapacitated your server. Name servers that are serving a lot
|
|
of clients will benefit more from this approach than individual
|
|
hosts. Use with caution.
|
|
|
|
To use this mechanism, uncomment the entries below, and comment
|
|
the hint zone above.
|
|
*/
|
|
/*
|
|
zone "." {
|
|
type slave;
|
|
file "slave/root.slave";
|
|
masters {
|
|
192.5.5.241; // F.ROOT-SERVERS.NET.
|
|
};
|
|
notify no;
|
|
};
|
|
zone "arpa" {
|
|
type slave;
|
|
file "slave/arpa.slave";
|
|
masters {
|
|
192.5.5.241; // F.ROOT-SERVERS.NET.
|
|
};
|
|
notify no;
|
|
};
|
|
zone "in-addr.arpa" {
|
|
type slave;
|
|
file "slave/in-addr.arpa.slave";
|
|
masters {
|
|
192.5.5.241; // F.ROOT-SERVERS.NET.
|
|
};
|
|
notify no;
|
|
};
|
|
*/
|
|
|
|
/* Serving the following zones locally will prevent any queries
|
|
for these zones leaving your network and going to the root
|
|
name servers. This has two significant advantages:
|
|
1. Faster local resolution for your users
|
|
2. No spurious traffic will be sent from your network to the roots
|
|
*/
|
|
// RFC 1912
|
|
zone "localhost" { type master; file "master/localhost-forward.db"; };
|
|
zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
|
|
zone "255.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// RFC 1912-style zone for IPv6 localhost address
|
|
zone "0.ip6.arpa" { type master; file "master/localhost-reverse.db"; };
|
|
|
|
// "This" Network (RFCs 1912 and 3330)
|
|
zone "0.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// IANA Reserved - Unlikely to ever be assigned
|
|
zone "1.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "2.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "223.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// Public Data Networks (RFC 3330)
|
|
zone "14.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// Private Use Networks (RFC 1918)
|
|
zone "10.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "17.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "18.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "19.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "20.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "21.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "22.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "23.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "24.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "25.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "26.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "27.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "28.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "29.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "30.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "31.172.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "168.192.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// Link-local/APIPA (RFCs 3330 and 3927)
|
|
zone "254.169.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// TEST-NET for Documentation (RFC 3330)
|
|
zone "2.0.192.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// Router Benchmark Testing (RFC 3330)
|
|
zone "18.198.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "19.198.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// IANA Reserved - Old Class E Space
|
|
zone "240.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "241.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "242.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "243.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "244.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "245.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "246.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "247.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "248.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "249.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "250.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "251.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "252.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "253.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
zone "254.in-addr.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// IPv6 Unassigned Addresses (RFC 4291)
|
|
zone "1.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "3.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "4.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "5.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "6.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "7.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "8.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "9.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "a.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "b.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "c.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "d.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "e.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "0.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "1.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "2.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "3.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "4.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "5.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "6.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "7.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "8.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "9.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "a.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "b.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "0.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "1.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "2.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "3.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "4.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "5.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "6.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "7.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// IPv6 ULA (RFC 4193)
|
|
zone "c.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "d.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// IPv6 Link Local (RFC 4291)
|
|
zone "8.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "9.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "a.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "b.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// IPv6 Deprecated Site-Local Addresses (RFC 3879)
|
|
zone "c.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "d.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "e.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
zone "f.e.f.ip6.arpa" { type master; file "master/empty.db"; };
|
|
|
|
// IP6.INT is Deprecated (RFC 4159)
|
|
zone "ip6.int" { type master; file "master/empty.db"; };
|
|
|
|
// NB: Do not use the IP addresses below, they are faked, and only
|
|
// serve demonstration/documentation purposes!
|
|
//
|
|
// Example slave zone config entries. It can be convenient to become
|
|
// a slave at least for the zone your own domain is in. Ask
|
|
// your network administrator for the IP address of the responsible
|
|
// master name server.
|
|
//
|
|
// Do not forget to include the reverse lookup zone!
|
|
// This is named after the first bytes of the IP address, in reverse
|
|
// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
|
|
//
|
|
// Before starting to set up a master zone, make sure you fully
|
|
// understand how DNS and BIND work. There are sometimes
|
|
// non-obvious pitfalls. Setting up a slave zone is usually simpler.
|
|
//
|
|
// NB: Don't blindly enable the examples below. :-) Use actual names
|
|
// and addresses instead.
|
|
|
|
/* An example dynamic zone
|
|
key "exampleorgkey" {
|
|
algorithm hmac-md5;
|
|
secret "sf87HJqjkqh8ac87a02lla==";
|
|
};
|
|
zone "example.org" {
|
|
type master;
|
|
allow-update {
|
|
key "exampleorgkey";
|
|
};
|
|
file "dynamic/example.org";
|
|
};
|
|
*/
|
|
|
|
/* Example of a slave reverse zone
|
|
zone "1.168.192.in-addr.arpa" {
|
|
type slave;
|
|
file "slave/1.168.192.in-addr.arpa";
|
|
masters {
|
|
192.168.1.1;
|
|
};
|
|
};
|
|
*/
|
|
|