BIND- help me confirm my config please

Kevin Darcy kcd at daimlerchrysler.com
Tue Nov 7 02:22:56 UTC 2000 

First of all, get the _DNS_and_BIND_ O'Reilly book (3rd Edition is the
latest published edition) if you want to do anything serious with DNS.
Those other books may talk about DNS and/or BIND in passing, but they are
no substitute for "the book".

Secondly, upgrade to BIND 8.2.2-p5 at least. The config you show is for
BIND 4, which is very old and full of bugs. The configuration file is
completely different for BIND 8, but there is a conversion tool.

You shouldn't have two different slave ("secondary", in BIND 4
terminology) definitions for the same "this.net" zone. I don't quite
recall what BIND 4 would do with this. In the best case, it will just take
one of the definitions, which means you don't have as much redundancy as
you hoped. In the worst case, multiple named-xfer's may end up writing
over each other in the same zone file. Or maybe it will just reject
*both* definitions. You can do what you (apparently) want by listing
*both* masters in the same definition, i.e.

secondary  this.net  2.2.2.2 2.2.2.3 this.hosts

BIND 4's named-xfer will try those addresses in order.

I don't know whether you need the forwarders statement or not. Can your
nameserver talk directly to every other nameserver it needs to? If not,
then you may need the forwarders to help with that, in which case you
should also have a "slave" directive, otherwise if the forwarders are
unavailable, you may find that your nameserver just thrashes trying to
resolve queries that it can never resolve. With the "slave" directive, the
nameserver will just give up if the forwarders are unavailable. I *do*
know, however, that you shouldn't list root servers (198.41.0.4 and
193.0.14.120) as forwarders; that's anti-social and won't work anyway for
most Internet queries you'd want to make, since the root servers don't
honor recursion.

You should define (uncomment) 0.0.127.in-addr.arpa if you want to control
how loopback, i.e. 127.0.0.1 reverse-resolves. If you don't care about
that, you don't need the zone.

Whether you should define (uncomment) 1.1.in-addr.arpa is up to you: can
you reverse-resolve addresses in that range using the normal forwarding or
non-forwarding mechanisms? Do you need to reverse-resolve those addresses
at all? Note that with BIND 8 you have other options besides being a slave
for a zone: you can be a "stub" or, with later versions of BIND 8, you can
forward on a per-domain basis (as opposed to globally).

Oh, and please get rid of that "caching only" comment. You are a slave
and/or forwarding server. Obviously that's not "caching only".


- Kevin


sygurd1006 at my-deja.com wrote:

> BIND- help me confirm my config please:
> i have a DNS server which i have attempted to configure as a secondary;
> i am in china and was using old documentation from the O'Reilly tcpip
> book and the UNIX red book
> My dns primary is 2.2.2.2 and he has a backup 2.2.2.3
> do i need the reverse statement?
> do i need the forwarders statement?
> my /etc/named.boot is as follows:
> ;
> ; a caching only nameserver config
> ;
> directory                                       /var/named
> cache      .                                    named.ca
> ; primary    0.0.127.in-addr.arpa               named.local
> ; make him a secondary nameserver
> secondary  this.net            2.2.2.2         this.hosts
> secondary  this.net            2.2.2.3         this.hosts
> ; secondary  1.1.in-addr.arpa  2.2.2.2         2.2.rev
> ;
> forwarders 2.2.2.2   2.2.2.3  198.41.0.4 193.0.14.129
> [root at this dataeng]#

More information about the bind-users mailing list