System Administration: Another Step toward the BIND - IV

In this session we're going to look at a zone file listed in our named.conf file.

So let's look at pri.example.org. Notice the a CNAME and SPF files. We didn't list those in our file types in part III, but we'll demonstrate what they do in the next session.

Here's our zone file:

@ IN SOA server1.example.org. root.localhost. (
                        2006012103; serial
                        28800; refresh, seconds
                        7200; retry, seconds
                        604800; expire, seconds
                        86400 ); minimum, seconds
;
                   NS server1.example.org.;
                   NS server2.example.org. ;
;
                   MX 10 server1.example.org.
;

example.org.   A 70.158.253.42
www                A 70.158.253.42
server1            A 70.158.253.42
server2            A 70.158.253.45
ftp                CNAME www
example.org.                  TXT "v=spf1 a mx ~all"
server1.example.org.          TXT "v=spf1 a -all"

The first line in our zone file looks like this:

@ IN SOA server1.example.org. root.localhost. (

The "@" sign in the line refers to the "origin" for this zone file which is server1.example.org. DNS uses this as simply a label to designate the Start Of Authority (SOA) record that appears at the beginning of any zone file defining a domain. Don't make too much out of this. If you read much about DNS, then you will see people using this strange term "current origin". Few people explain what that means. It's just another bit of jargon.

The next item on the line "IN" stands for Internet. People call this a class field. Three classes exist including "HS" for Hesiod servers and "CH" which stands for Chaosnet servers.

You will only see Internet servers, but if you sweat the small stuff then you might want to know that HS and CH protocols barely exist. These are old typologies dating back to the 1970s. If you ever use them, it might be in a laboratory in a far off corner with some lab rats.

IETF RFC 1035, Domain Names - Implementation and Specification says:

The SOA record stores information about the name of the server that supplied the data for the zone; the administrator of the zone; the current version of the data file [serial number]; the number of seconds a secondary name server should wait before checking for updates; the number of seconds a secondary name server should wait before retrying a failed zone transfer; the maximum number of seconds that a secondary name server can use data before it must either be refreshed or expire; and a default number of seconds for the time-to-live file on resource records.

What's next? The mailing address of the administrator in this file is root@localhost. Obviously, my mail server delivers local mail so messages related to this process will go to root's mailbox.

In case you missed it, the first line is only part of the SOA record. It has additional fields. Notice the "(" at the end of the line. Here's the rest of the record. Remember these exist for the benefit of the slave server.

                        2006012103; serial
                        28800; refresh, seconds
                        7200; retry, seconds
                        604800; expire, seconds
                        86400 ); minimum, seconds

The serial number is the only field in the record that does not refer to seconds.

The remaining fields use seconds to denote their values. For example, the number of seconds a secondary name server should wait before checking for updates is in the refresh record. 28800 seconds is 480 minutes or 8 hours.

Also notice that the SOA record ends at the end of the Minimum-Time to Live (TTL). You can see the ")" symbol which closes the record values.

NS Records

Next we write our NS records. This record specifies the name servers that are responsible for our domain. You can list as many as you want even though two are used by convention.

                   NS server1.example.org.;
                   NS server2.example.org. ;

Please note: the semicolon (';') does not mark the end of a line; instead it marks the beginning of a comment in a zone file. You can write

NS server1.example.org.; This is my primary name server.

However, if you do not have any comments, you can as well write:

                   NS server1.example.org.

In the next session, we'll analyze the remainder of the zone file. For now, you might want to take a bit of a breather.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Corrections

hillardn's picture

Yes, BIND can be both authoritative and cacheing.

There are a couple of points that I'd like to make:

CNAME and SPF are not files. CNAME is a record type, SPF isn't. It is a specific use of a TXT record.

The "@" sign in the line refers to the "origin" for this zone file which is server1.example.org.
That is incorrect. The origin is defind in the primary or secondary statement in named.conf or by using $ORIGIN. It is not the value listed after SOA - that is the primary master name server.

The mailing address of the administrator in this file is root@localhost.
For internal use that is fine but not for use on the Internet.

The remaining fields use seconds to denote their values.
Alternatively you can use 'm' (minutes), 'h' (hours), 'd' (days) or 'w' (weeks). e.g. 2w (for two weeks instead of 1209600).

Also notice that the SOA record ends at the end of the Minimum-Time to Live (TTL).
This is now the negative TTL. This has been true since BIND 8.2.

It should also be pointed out that if the resource of a record is blank then it is the same as the previous record.

The description states that 'IN' refers to 'Internet' but then omits it from the rest of the records. It should be made clear that it is optional and BIND will use the value from the zone definition if it is not listed.

It should also be noted that unless an entry ends with a period, it will have the origin appended (applicable to names).

A better example zone would be:


@ IN SOA server1.example.org. root.example.org. (
200601201; Serial
3h; Refresh
1h; Retry
1w; Expire
1h ); Negative TTL

IN NS server1
IN NS server2

IN MX 10 server1

IN A 70.158.253.42
IN TXT "v=spf1 a mx ~all"

ftp IN CNAME www
server1 IN A 70.158.253.42
server1 IN TXT "v=spf1 a -all"
server2 IN A 70.158.253.45
www IN A 70.158.253.42

Neil.

Caching Server

ut-admin's picture

It was mentioned that the default bind setup is a caching DNS server and is obviously not authoritative. Can bind be a authoritative DNS server for a domain and still be a caching server?

yes, if you want to be compromised in an eyeblink

Anonymous's picture

BIND does not separate caching and authoritative functions. It has been known since practically forever that this is completely stupid and asking for cache poisoning and other exploits. The way to get around this is to run two completely separate BIND servers, separated physically and logically. One does caching, one is your authoritative server.

Or even better, don't use BIND at all, but any of the superior alternatives.

| Or even better, don't use

Anonymous's picture

| Or even better, don't use BIND at all, but any of the superior alternatives.

Oh, and what are those "superior" _alternatives_ anyway? :)

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState