每週主題三: named.conf 參數討論
每週主題三: named.conf 參數討論
前面休息了一週沒有出主題,因為一直在思考什麼題目較適合大家,這週
突然覺得基本題最重要,想想就出這個題目了!
相信用過 isc bind 的大家,對 named.conf 的一些功能想來多數人一定
一知半解,這週的主題相信對大家應會很有意義才是.
討論的方向我會建議:
例如:
auth-nxdomain boolean;
您得先說說您對這個了解與認知(找 google 最快),但那裏有不明白的
個人較不希望成為單方面的輸出(講解),而是有來有往式的討論較能增進
大家的認知.
以下是我從 bind 9.3.0 中取出來的 named.conf 全部的內容(我拿掉了
DNSSEC 相關的),您可說說對那個功能及您的理解為何,若是罕見的問題,
或可我可直接做出回答,但重點是最好自己先做功課及研究,收獲才會多
ACL
acl string { address_match_element; ... };
MASTERS
masters string [ port integer ] {
( masters | ipv4_address |
ipv6_address ) [ key string ]; ...
};
SERVER
server ( ipv4_address | ipv6_address ) {
bogus boolean;
edns boolean;
provide-ixfr boolean;
request-ixfr boolean;
support-ixfr boolean; // obsolete
}; transfer-format ( many-answers | one-answer );
transfer-source ( ipv4_address | * )
CONTROLS
controls {
inet ( ipv4_address | ipv6_address | * )
[ port ( integer | * ) ]
allow { address_match_element; ... }
[ keys { string; ... } ];
};
LOGGING
logging {
channel string {
file log_file;
syslog optional_facility;
stderr;
severity log_severity;
print-time boolean;
print-severity boolean;
print-category boolean;
};
category string { string; ... };
};
LWRES
lwres {
listen-on [ port integer ] {
( ipv4_address | ipv6_address ) [ port integer ]; ...
};
view string optional_class;
search { string; ... };
ndots integer;
};
OPTIONS
options {
avoid-v4-udp-ports { port; ... };
avoid-v6-udp-ports { port; ... };
coresize size;
datasize size;
directory quoted_string;
dump-file quoted_string;
files size;
heartbeat-interval integer;
hostname ( quoted_string | none );
interface-interval integer;
listen-on [ port integer ] { address_match_element; ... };
listen-on-v6 [ port integer ] { address_match_element; ... };
match-mapped-addresses boolean;
memstatistics-file quoted_string;
pid-file ( quoted_string | none );
port integer;
querylog boolean;
recursing-file quoted_string;
random-device quoted_string;
recursive-clients integer;
serial-query-rate integer;
server-id ( quoted_string | none |;
stacksize size;
statistics-file quoted_string;
tcp-clients integer;
tcp-listen-queue integer;
transfers-per-ns integer;
transfers-in integer;
transfers-out integer;
use-ixfr boolean;
version ( quoted_string | none );
allow-recursion { address_match_element; ... };
sortlist { address_match_element; ... };
auth-nxdomain boolean; // default changed
minimal-responses boolean;
recursion boolean;
rrset-order {
[ class string ] [ type string ]
[ name quoted_string ] string string; ...
};
provide-ixfr boolean;
request-ixfr boolean;
additional-from-cache boolean;
query-source querysource4;
query-source-v6 querysource6;
cleaning-interval integer;
lame-ttl integer;
max-ncache-ttl integer;
max-cache-ttl integer;
transfer-format ( many-answers | one-answer );
max-cache-size size_no_default;
check-names ( master | slave | response )
( fail | warn | ignore );
cache-file quoted_string;
preferred-glue string;
dual-stack-servers [ port integer ] {
( quoted_string |
ipv4_address |
ipv6_address ); ...
}
edns-udp-size integer;
root-delegation-only [ exclude { quoted_string; ... } ];
allow-query { address_match_element; ... };
allow-transfer { address_match_element; ... };
allow-update-forwarding { address_match_element; ... };
notify notifytype;
notify-source ( ipv4_address | * ) [ port ( integer | * ) ];
notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ];
also-notify [ port integer ] { ( ipv4_address | ipv6_address )
[ port integer ]; ... };
allow-notify { address_match_element; ... };
forward ( first | only );
forwarders [ port integer ] {
( ipv4_address | ipv6_address ) [ port integer ]; ...
};
max-journal-size size_no_default;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
max-transfer-idle-out integer;
max-retry-time integer;
min-retry-time integer;
max-refresh-time integer;
min-refresh-time integer;
multi-master boolean;
sig-validity-interval integer;
transfer-source ( ipv4_address | * )
[ port ( integer | * ) ];
transfer-source-v6 ( ipv6_address | * )
[ port ( integer | * ) ];
alt-transfer-source ( ipv4_address | * )
[ port ( integer | * ) ];
alt-transfer-source-v6 ( ipv6_address | * )
[ port ( integer | * ) ];
use-alt-transfer-source boolean;
zone-statistics boolean;
allow-v6-synthesis { address_match_element; ... }; // obsolete
deallocate-on-exit boolean; // obsolete
fake-iquery boolean; // obsolete
fetch-glue boolean; // obsolete
has-old-clients boolean; // obsolete
maintain-ixfr-base boolean; // obsolete
max-ixfr-log-size size; // obsolete
multiple-cnames boolean; // obsolete
named-xfer quoted_string; // obsolete
serial-queries integer; // obsolete
treat-cr-as-space boolean; // obsolete
use-id-pool boolean; // obsolete
};
VIEW
view string optional_class {
match-clients { address_match_element; ... };
match-destinations { address_match_element; ... };
match-recursive-only boolean;
key string {
algorithm string;
secret string;
};
zone string optional_class {
...
};
server ( ipv4_address | ipv6_address ) {
...
};
allow-recursion { address_match_element; ... };
sortlist { address_match_element; ... };
topology { address_match_element; ... }; // not implemented
auth-nxdomain boolean; // default changed
minimal-responses boolean;
recursion boolean;
rrset-order {
[ class string ] [ type string ]
[ name quoted_string ] string string; ...
};
provide-ixfr boolean;
request-ixfr boolean;
rfc2308-type1 boolean; // not yet implemented
additional-from-auth boolean;
additional-from-cache boolean;
query-source querysource4;
query-source-v6 querysource6;
cleaning-interval integer;
min-roots integer; // not implemented
lame-ttl integer;
max-ncache-ttl integer;
max-cache-ttl integer;
transfer-format ( many-answers | one-answer );
max-cache-size size_no_default;
check-names ( master | slave | response )
( fail | warn | ignore );
cache-file quoted_string;
suppress-initial-notify boolean; // not yet implemented
preferred-glue string;
dual-stack-servers [ port integer ] {
( quoted_string |
ipv4_address |
ipv6_address ); ...
};
edns-udp-size integer;
root-delegation-only [ exclude { quoted_string; ... } ];
allow-query { address_match_element; ... };
allow-transfer { address_match_element; ... };
allow-update-forwarding { address_match_element; ... };
notify notifytype;
notify-source ( ipv4_address | * ) [ port ( integer | * ) ];
notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ];
also-notify [ port integer ] { ( ipv4_address | ipv6_address )
[ port integer ]; ... };
allow-notify { address_match_element; ... };
forward ( first | only );
forwarders [ port integer ] {
( ipv4_address | ipv6_address ) [ port integer ]; ...
};
max-journal-size size_no_default;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
max-transfer-idle-out integer;
max-retry-time integer;
min-retry-time integer;
max-refresh-time integer;
min-refresh-time integer;
multi-master boolean;
sig-validity-interval integer;
transfer-source ( ipv4_address | * )
[ port ( integer | * ) ];
transfer-source-v6 ( ipv6_address | * )
[ port ( integer | * ) ];
alt-transfer-source ( ipv4_address | * )
[ port ( integer | * ) ];
alt-transfer-source-v6 ( ipv6_address | * )
[ port ( integer | * ) ];
use-alt-transfer-source boolean;
zone-statistics boolean;
allow-v6-synthesis { address_match_element; ... }; // obsolete
deallocate-on-exit boolean; // obsolete
fake-iquery boolean; // obsolete
fetch-glue boolean; // obsolete
has-old-clients boolean; // obsolete
maintain-ixfr-base boolean; // obsolete
max-ixfr-log-size size; // obsolete
multiple-cnames boolean; // obsolete
named-xfer quoted_string; // obsolete
serial-queries integer; // obsolete
treat-cr-as-space boolean; // obsolete
use-id-pool boolean; // obsolete
};
VIEW
view string optional_class {
match-clients { address_match_element; ... };
match-recursive-only boolean;
key string {
algorithm string;
secret string;
};
zone string optional_class {
...
};
server ( ipv4_address | ipv6_address ) {
...
};
allow-recursion { address_match_element; ... };
sortlist { address_match_element; ... };
topology { address_match_element; ... }; // not implemented
auth-nxdomain boolean; // default changed
recursion boolean;
rrset-order {
[ class string ] [ type string ]
[ name quoted_string ] string string; ...
};
provide-ixfr boolean;
request-ixfr boolean;
rfc2308-type1 boolean; // not yet implemented
additional-from-auth boolean;
additional-from-cache boolean;
query-source querysource4;
query-source-v6 querysource6;
cleaning-interval integer;
min-roots integer; // not implemented
lame-ttl integer;
max-ncache-ttl integer;
max-cache-ttl integer;
transfer-format ( many-answers | one-answer );
max-cache-size size_no_default;
check-names ( master | slave | response )
( fail | warn | ignore );
cache-file quoted_string;
suppress-initial-notify boolean; // not yet implemented
dual-stack-servers [ port integer ] {
( quoted_string |
ipv4_address |
ipv6_address ); ...
};
edns-udp-size integer;
root-delegation-only [ exclude { quoted_string; ... } ];
disable-algorithms string { string; ... };
dnssec-enable boolean;
dnssec-lookaside string trust-anchor string;
dnssec-must-be-secure string boolean;
dialup dialuptype;
ixfr-from-differences ixfrdiff;
allow-query { address_match_element; ... };
allow-transfer { address_match_element; ... };
allow-update-forwarding { address_match_element; ... };
notify notifytype;
notify-source ( ipv4_address | * ) [ port ( integer | * ) ];
notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ];
also-notify [ port integer ] { ( ipv4_address | ipv6_address )
allow-notify { address_match_element; ... };
forward ( first | only );
forwarders [ port integer ] {
( ipv4_address | ipv6_address ) [ port integer ]; ...
};
max-journal-size size_no_default;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
max-transfer-idle-out integer;
max-retry-time integer;
min-retry-time integer;
max-refresh-time integer;
min-refresh-time integer;
multi-master boolean;
sig-validity-interval integer;
transfer-source ( ipv4_address | * )
[ port ( integer | * ) ];
transfer-source-v6 ( ipv6_address | * )
[ port ( integer | * ) ];
alt-transfer-source ( ipv4_address | * )
[ port ( integer | * ) ];
alt-transfer-source-v6 ( ipv6_address | * )
[ port ( integer | * ) ];
use-alt-transfer-source boolean;
zone-statistics boolean;
allow-v6-synthesis { address_match_element; ... }; // obsolete
fetch-glue boolean; // obsolete
maintain-ixfr-base boolean; // obsolete
max-ixfr-log-size size; // obsolete
};
ZONE
zone string optional_class {
type ( master | slave | stub | hint |
forward | delegation-only );
file quoted_string;
masters [ port integer ] {
( masters |
ipv6_address [ port integer ] ) [ key string ]; ...
};
database string;
delegation-only boolean;
check-names ( fail | warn | ignore );
dialup dialuptype;
ixfr-from-differences boolean;
allow-query { address_match_element; ... };
allow-transfer { address_match_element; ... };
allow-update { address_match_element; ... };
allow-update-forwarding { address_match_element; ... };
update-policy {
( grant | deny ) string
( name | subdomain | wildcard | self ) string
rrtypelist; ...
};
notify notifytype;
notify-source ( ipv4_address | * ) [ port ( integer | * ) ];
notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ];
also-notify [ port integer ] { ( ipv4_address | ipv6_address )
allow-notify { address_match_element; ... };
forward ( first | only );
forwarders [ port integer ] {
( ipv4_address | ipv6_address ) [ port integer ]; ...
};
max-journal-size size_no_default;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
max-transfer-idle-out integer;
max-retry-time integer;
min-retry-time integer;
max-refresh-time integer;
min-refresh-time integer;
multi-master boolean;
sig-validity-interval integer;
transfer-source ( ipv4_address | * )
[ port ( integer | * ) ];
transfer-source-v6 ( ipv6_address | * )
[ port ( integer | * ) ];
alt-transfer-source ( ipv4_address | * )
[ port ( integer | * ) ];
alt-transfer-source-v6 ( ipv6_address | * )
[ port ( integer | * ) ];
use-alt-transfer-source boolean;
zone-statistics boolean;
ixfr-base quoted_string; // obsolete
ixfr-tmp-file quoted_string; // obsolete
maintain-ixfr-base boolean; // obsolete
max-ixfr-log-size size; // obsolete
};
好好努力看看,上面很多東西我也不知道 ..
《解決方案》
每週主題三: named.conf 參數討論
哇.... 太多了吧... ^_^
怕消化不良, 可能要慢慢咀嚼了...
《解決方案》
每週主題三: named.conf 參數討論
auth-nxdomain 這個 options 從來沒用過噢!在 bind9 Manual 找到的解釋如下:
auth-nxdomain
If yes, then the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is no; this is a change from BIND 8. If you are using very old DNS software, you may need to set it to yes.
NX-DOMAIN means "domain doesn't exist" The AA bit means the server has authority.
這樣理論上知道大概是什麼意思,但具體怎麼用不甚了解,明天做做試驗看看。
《解決方案》
每週主題三: named.conf 參數討論
auth-nxdomain 是 bind 8 和 9 一個很大的區別...
如果該 domain 沒有由 AA (權威主機的回答) 而來, bind 9
是不相信的(yes) , bind 8 預設為 no , 也就是有答案就相信
(不管答案是不是權威主機來的), 我之所以會與這個例子,因為
真的是很大的差別.
若有人在 cnnic 中申請了一個 domain, abc.cn
他做了指向,
www.abc.cn IP1
mail.abc.cn IP2
但沒有在 IP1/IP2 建DNS, 這個時候若你的 DNS auth-nxdomain yes
就會查不到,而 no 就查得到
《解決方案》
每週主題三: named.conf 參數討論
原帖由 "abel"]但沒有在 IP1/IP2 建DNS
不解ing~~~~
是說他本身沒有DNS伺服器,而只是從父DNS上面註冊了www.abc.cn和mail.abc.cn嗎?這時如果父DNS如果用bind9並且auth-nxdomain=yes,別人的主機就不能得到www.abc.cn的IP?
《解決方案》
每週主題三: named.conf 參數討論
原帖由 "Raad" 發表:
不解ing~~~~
是說他本身沒有DNS伺服器,而只是從父DNS上面註冊了www.abc.cn和mail.abc.cn嗎?
是的
這時如果父DNS如果用bind9並且auth-nxdomain=yes,別人的主機就不能得到www.abc.cn的IP?
不是,而是在這種狀況下 (有在父 DNS 指定 www/mail , 但沒有在該 IP
下建立該網域名稱的 DNS Server
這種狀況下基本上就會有一個常見狀況:
有的人查得到 www/mail , 但有的人查不到, 有的人信寄的到,有人寄不到
一般來說這個狀況取決於查詢端用的 DNS 版本,若用 bind 8 就可以查得
到,用 bind 9 就查不到,也就是受了這個參數影響
;BIND 9 的例子
# dig @211.72.210.250 www.zycast.com.tw
; <<>;>; DiG 9.3.0 <<>;>; @211.72.210.250 www.zycast.com.tw
;; global options: printcmd
;; connection timed out; no servers could be reached
; BIND 8 的例子
# dig @168.95.1.1 www.zycast.com.tw
; <<>;>; DiG 9.3.0 <<>;>; @168.95.1.1 www.zycast.com.tw
;; global options: printcmd
;; Got answer:
;; ->;>;HEADER<<- opcode: QUERY, status: NOERROR, id: 23764
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.zycast.com.tw. IN A
;; ANSWER SECTION:
www.zycast.com.tw. 86400 IN A 61.62.30.222
;; AUTHORITY SECTION:
zycast.com.tw. 86400 IN NS www.zycast.com.tw.
zycast.com.tw. 86400 IN NS zycast.com.tw.
;; ADDITIONAL SECTION:
www.zycast.com.tw. 86400 IN A 61.62.30.222
zycast.com.tw. 86400 IN A 61.62.30.222
;; Query time: 37 msec
;; SERVER: 168.95.1.1#53(168.95.1.1)
;; WHEN: Tue Nov 30 11:33:22 2004
;; MSG SIZE rcvd: 124
這個網域名稱就是前面我提到的狀況,可以看到 BIND 8 例子中, dig 的
flag 為 qr rd ra , 並沒有 aa , 所以 bind 9 就會查不到
因為 auth-nxdomain (權威主機不存在該網域名稱)
如果將 auth-nxdomain 設成 no , 基本上查詢行為就和 bind 8 差不多
設成 yes , 則在授權的檢查上較嚴格
那種好那種不好個人覺得因人成事
《解決方案》
每週主題三: named.conf 參數討論
如果要允許一個v6地址的DHCP伺服器對DNS進行動態更新,在named.conf里要怎麼配置呢?直接在zone欄位的allow語句中加入v6地址可以嗎?謝謝!
《解決方案》
每週主題三: named.conf 參數討論
謝謝abel,我總算是搞明白了auth-nxdomain這個參數,看來我們還是設置成no得好,不然解析不了域名該被領導罵了 :mrgreen: :mrgreen: :mrgreen:
《解決方案》
每週主題三: named.conf 參數討論
誰能幫我解釋一下這個配置,萬分感謝
logging {
channel security {
file "/bind/var/adm/named.security";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel client {
file "/bind/var/adm/named.client";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel default {
file "/bind/var/adm/named.default";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category security {security;};
category client {client;};
category lame-servers {null;};
category default {default_syslog; default_debug;default;};
};
《解決方案》
每週主題三: named.conf 參數討論
寫得不錯。偶正在學習中。。。。