Main Menu
PHP Tools
PHP Help Request
PHP Editors Newsletter
Editor Search
Reviewed PHP Editors
Latest News
Submit News
PHP Tutorials
PHP Book Reviews
Online Book Chapters
PHP Games

Forums
RSS 2.0
PHP Desktop Editors
Other PHP Tools
PHP Contests
PHP Programming Help
Linux Help
Apache Help
MySQL Help
PHP Games
PHP Jobs
PHP Forums Home

Programming Contest
PHP Contests
PHP Contests Archive

Documentation
PHP Manual
PEAR Manual
PHP-GTK Manual
Smarty Manual
PostgreSQL Manual
CSS 2 Reference
Redhat Linux 9
HTML 4.01
Apache 2 Manual

Partner Sites
Ajax Tutorials
Webmaster Resources
Web Templates
PHP Scripts
PHP Code Examples
Learn PHP playing Trivia
PHP & MySQL Forums
Web Development Index
web site templates

Sponsors

NuSphere



All Red Hat Linux documents are copyrighted to Red Hat Inc.

Red Hat Linux 9: Red Hat Linux Reference Guide
PrevChapter 12. Berkeley Internet Name Domain (BIND)Next

12.5. Advanced Features of BIND

Most BIND implementations only use named to provide name resolution services or to act as an authority for a particular domain or sub-domain. However, BIND version 9 has a number of advanced features that allow for a more secure and efficient DNS service.

CautionCaution
 

Some of these advanced features, such as DNSSEC, TSIG, and IXFR, should only be used in network environments with nameservers that support the features. If your network environment includes non-BIND or older BIND nameservers, check to see if a particular advanced feature is available before attempting to use it.

All of the features mentioned here are discussed in greater detail in the BIND 9 Administrator Reference Manual. See Section 12.7.1 Installed Documentation for more information.

12.5.1. DNS Protocol Enhancements

BIND supports Incremental Zone Transfers (IXFR), where slave nameserver will only download the updated portions of a zone modified on a master nameserver. The standard transfer process requires that the entire zone be transferred to each slave nameserver for even the smallest change. For very popular domains with very lengthy zone files and many slave nameservers, IXFR makes the notification and update process much less resource intensive.

Note that IXFR is only available if when using dynamic updating to make changes to master zone records. If manually editing zone files to make changes, AXFR is used. More information on dynamic updating is available in the BIND 9 Administrator Reference Manual. See Section 12.7.1 Installed Documentation for more information.

12.5.2. Multiple Views

Through the use of the view statement in named.conf, BIND can present different information depending on who is making the request.

This is primarily used to deny sensitive DNS entries from clients outside of the local network, while allowing queries from clients inside the local network.

The view statement uses the match-clients option to match IP addresses or entire networks and give them special options and zone data.

12.5.3. Security

BIND supports a number of different methods to protect the updating and transfer of zones, on both master and slave nameservers:

  • DNSSEC — Short for DNS SECurity, this feature allows for zones to be cryptographically signed with a zone key.

    In this way, the information about a specific zone can be verified as coming from a nameserver that has signed it with a particular private key, as long as the recipient has that nameserver's public key.

    BIND version 9 also supports the SIG(0) public/private key method of message authentication.

  • TSIG — Short for Transaction SIGnatures, this feature allows a transfer from master to slave is authorized only after verifying that a shared secret key exists on the master and slave servers.

    This feature strengthens the standard IP address-based method of transfer authorization. An attacker would not only need to have access to the IP address to transfer the zone, but they would also need to know the secret key.

    BIND version 9 also supports TKEY, which is another shared secret key method of authorizing zone transfers.

12.5.4. IP version 6

BIND version 9 can provide nameservice in IP version 6 (IPv6) environments through the use of A6 zone records.

If the network environment includes both IPv4 and IPv6 hosts, use the lwresd lightweight resolver daemon on all network clients. This daemon is a very efficient, caching-only nameserver which understands the new A6 and DNAME records used under IPv6. See the lwresd man page for more information.

PrevHomeNext
Using rndcUpCommon Mistakes to Avoid
© Copyright 2003-2023 www.php-editors.com. The ultimate PHP Editor and PHP IDE site.