One Newbie, totally confused

Kevin Darcy kcd at daimlerchrysler.com
Tue Oct 3 00:56:51 UTC 2006 

Slackr wrote:
> I want to create a bind-based setup for  www.domain1.com, a.domain1.com
> for host 127.0.0.1
> (obviously these aren't the real addresses)!
> Can I get anyone's help?
>   
Simplistically:

1. Define the domain1.com zone in your named.conf as "type master".
2. Populate the zone file with "www" and "a" entries (in addition to the 
required entries like SOA and NS).
3. Configure the rest of the master's BIND environment:
    a) start named automatically on reboot
    b) log messages of interest to syslog or directly to a file
    c) set up rndc so that you can control the daemon
    d) set up named to run unprivileged and/or chroot'ed
    e) if you expect to be changing the zone fairly frequently, such 
that manually editing zone files (followed up by incrementing the zone's 
serial number and telling named, via rndc, to reload it) is bound to 
become impractical, set up some sort of change mechanism, be it a 
version-control, source-code-control system like RCS, a web frontend 
with a Dynamic Update backend (as we have), webmin (look it up), or for 
heavier-duty stuff, look into BIND's "SDB" extensions, so that you can 
use as your BIND data store a relational database, an LDAP directory, or 
something along those lines (note that I've never actually worked with 
SDB, but other people on this list have). At the "enterprise" level, you 
don't need to abandon BIND, since the DNS component of some of the 
leading "address management" products, like Nortel's NetID or Lucent's 
QIP, are, under the covers, just modified versions of BIND.
4. Set up 1 or more other nameservers to slave the zone from the master 
server by adding a "type slave" definition to their named.conf, along 
with the necessary "environmental" configuration (see #3a through #3d 
above), and publishing those slaves in the set of NS records at the apex 
of the zone. You might also want to consider setting up TSIG-based 
authentication between the masters and slaves for enhanced security.
5. Optionally, set up caching resolvers that have the ability to resolve 
names in the domain1.com zone. If domain1.com is in the normal 
delegation hierarchy that your caching resolver would use, then this is 
somewhat trivial, but if it's not -- e.g. if your caching resolver uses 
the Internet DNS, but domain1.com is not registered in, or 
registered-in-but-not-delegated from the Internet DNS -- then you'll 
have to explicitly define domain1.com in the caching resolver, either as 
"type stub", "type slave" (if it's a slave but not a published one, we 
call that a "stealth slave", by the way), or "type forward". The choice 
of whether to use stub, slave or forward for any given zone is a 
non-trivial one, depending on factors like basic network connectivity, 
bandwidth, depth of delegations, query traffic patterns and volume, 
cache-persistence settings, the permission(s) of your server(s) to make 
certain categories of queries (zone transfer, recursive) to other 
servers, and/or availability expectations, among others. Generally 
speaking I'd go with "type stub" if possible, for these "delegation 
overrides".
6. Finally, configure -- probably via DHCP -- your clients ("stub 
resolvers") to use some combination(s) of master, slave(s) and/or 
caching-resolver(s) for resolving all of their DNS names. As long as 
your clients are talking only to nameservers/resolvers that either a) 
are authoritative (master or slave) for domain1.com, or b) have explicit 
configuration that allows them to resolve domain1.com names, or c) can 
find domain1.com via the normal delegation hierarchy, then they 
shouldn't have any problems resolving domain1.com names.

(Note that you only said "create a bind-based setup"; you didn't say 
anything about publishing your domain1.com information to the Internet 
or to an intranet with its own internal root. So I haven't included any 
of those domain-registration-and/or-delegation steps in the sequence above).

I'd recommend procuring and reading _DNS_and_BIND_ (Fourth or Fifth 
Edition) from O'Reilly. It's more-or-less the "bible" on the subject.

                                                                         
                                    - Kevin

More information about the bind-users mailing list