Implementing BIND on Mac OS X
Pages: 1, 2
Reverse Lookup Zones
Reverse lookup zones contain data for reverse DNS queries. A reverse query is used to resolve an address to a hostname.
As far as structure goes, a reverse lookup zone is the same as a forward lookup zone:
;
; /var/named/db.192.168.1 - Zone file for 192.168.1 network
;
$TTL 86400 ; 1 day
1.168.192.in-addr.arpa IN SOA ns.example.com. root.example.com. (
2003040101 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
; name servers
1.168.192.in-addr.arpa IN NS ns1.example.com.
1.168.192.in-addr.arpa IN NS ns2.example.com.
; address to host mappings
1 IN PTR gateway.example.com.
2 IN PTR ns1.example.com.
3 IN PTR ns2.example.com.
5 IN PTR www.example.com.You might notice that the main difference is in the use of PTR records instead of A records. PTR records are the most used record in a reverse lookup zone. The first field of a PTR record contains the last octet of the host's IP address. So, in the case of 192.168.1.1, it would be just 1. The value of the record is the fully qualified domain name of the host in question (for example, gateway.example.com.). Remember those trailing periods in fully qualified domain names!
The other portion that is different is the name of the zone. Reverse lookup zones are named by inverting the network address and adding ".in-addr.arpa" to it. For example, for a host with an IP address of 192.168.1.5, its network would be 192.168.1 (well, assuming you're using a /24 subnet mask). The reverse of the network would be 1.168.192. Slap on the ".in-addr.arpa" and you get the "1.168.192.in-addr.arpa" found in the zone above. Conversely, the filename for this zone would be db.192.168.1.
To load a reverse lookup zone, place the entry below in your named.conf file. The fields used are the same as those for a forward lookup zone.
zone "1.168.192.in-addr.arpa" in
{
type master;
file "db.192.168.1";
};Zone Notation Shorthand
There are a few different shortcuts you can take when creating zone files. One allows you to use an @ symbol in place of $ORIGIN. The $ORIGIN for a zone file is specified in the named.conf configuration file in the zone field. In the reverse lookup example above, the $ORIGIN would be "1.168.192.in-addr.arpa". A revised version of the SOA and NS records for our reverse zone that uses @ notation would be:
@ IN SOA ns.example.com. root.example.com. (
2003040101 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
; name servers
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.Note that if a different $ORIGIN is declared within the zone file then it will be used instead. A similar shortcut is that if you do not declare a new name for a record, named will substitute the last one used. For example, the zone above and the zone below both do the same thing:
@ IN SOA ns.example.com. root.example.com. (
2003040101 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
; name servers
IN NS ns1.example.com.
IN NS ns2.example.com.Notice that there is no indication of which host the NS records are for. Instead, it is assumed that the records are for the last entry used, which in this case is the @ record. These shortcuts should save you some time when creating zone files. By using them, you can also create generic zone files that will work with more than one lookup. A good use for this would be if you're running a web hosting service and have several zones that contain the exact same data. Create a single zone file that contains @ notation and then use it multiple times in your named.conf file.
The last shortcut I'll discuss is the use of non fully qualified domain names in zone files. In the example.com zone above, the www record is declared as:
www.example.com. IN A 192.168.1.5If I were to specify just the host portion of this address, named will append the $ORIGIN to the end of the entry. This is the reason that you must be sure to put a trailing period on fully qualified domain names. The entry above and the entry below have the same result:
www IN A 192.168.1.5The named Configuration File
Using the blocks of data at the end of the various zone types above, you can create the majority of your named.conf configuration file with ease. The only remaining section is the options section declared at the top of the configuration file. The options section is used to specify parameters which affect named as a whole. Below is the example named.conf file, followed by explanations of the various sections:
//
// /etc/named.conf - Configuration file for named DNS server
//
// General Parameters
options
{
directory "/var/named";
forward first;
forwarders
{
63.240.76.19;
204.127.198.19;
};
allow-transfer
{
none;
};
};
// Hint Zone
zone "." in
{
type hint;
file "named.ca";
};
// Domains (forward)
zone "example.com" in
{
type master;
file "db.example.com";
};
// Networks (reverse)
zone "0.0.127.in-addr.arpa" in
{
type master;
file "db.127.0.0";
};
zone "1.168.192.in-addr.arpa" in
{
type master;
file "db.192.168.1";
};General Parameters
The options specified above work as follows: The directory declaration is used to determine where all of your zone files and other named configuration data is kept (this does not necessarily mean named.conf). The forward first and forwarders declarations tell named to forward all queries to the DNS servers listed before attempting to resolve the query on its own. Using query forwarding allows you to speed up your resolution process (it is usually quicker to query your ISP's server instead of the root servers). The allow-transfer section prevents unauthorized users from downloading entire copies of your zones. This is a security precaution that is similar to limiting someone to using directory assistance for telephone number lookups instead of giving them a phone book. The end user can only query for specific records instead of having access to the entire directory.
Domains and Networks
These sections contain the declarations for the zones above. Notice that in the Networks section there is a declaration for 0.0.127.in-addr.arpa. This zone represents the reverse lookup information for your machine's loopback address. Below is the zone's contents:
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.Slave Servers and Zone Transfers
The final portion of the named.conf file that I'm going to cover is the configuration of slave servers. The DNS standards recommend that at least two name servers (on separate systems, networks, etc.) should be authoritative for your domain. While it is entirely possible to maintain two separate copies of a zone's data on two separate servers by hand, most administrators will instead choose to make one of the servers a master and the other a slave.
Slave servers use zone transfers to acquire their zone data from master servers. On the master server, you must allow your slave server to request whole zones. One the slave server, you must configure the slave to request zones from the master. Below are the two entries necessary; the first for the master, second for slave:
// master zone
zone "example.com" in
{
type master;
file "db.example.com";
allow-transfer
{
192.168.1.3;
};
};
// slave zone
zone "example.com" in
{
type slave;
file "db.example.com";
masters
{
192.168.1.1;
};
};Final Thoughts
While I haven't touched upon every portion of BIND, this article provides enough information to get you started with a basic DNS setup. For further reading, I highly recommend DNS and BIND by Paul Albitz and Cricket Liu. It's a must read for anyone who will be working with BIND on a regular basis.
Jason Deraleau works as a systems administrator by day, IT consultant and technical writer by night, and is the coauthor of the upcoming Running Mac OS X Tiger.
Return to the Mac DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 25 of 25.
-
"Good to the last step" !
2003-12-18 16:07:27 rh416 [Reply | View]
-
"Good to the last step" !
2004-08-06 06:02:38 Jason Deraleau |
[Reply | View]
The instructions mention that you may have to modify or create the startup script. If you paste the afforementioned script into the file/Library/StartupItems/BIND/BIND, thechmodcommand will work properly.
-
Perfect Article
2003-10-18 21:22:55 anonymous2 [Reply | View]
I followed this article exactly.
Compiled bind9, set up my configuration files, rebooted and BAM! The domain I was setting up worked perfectly.
This was on OXX server 10.2.8. Thank you thank you.
I have condensed (ahem *stolen*) this article and condensed it into a quick reference quide. (With credits at the bottom). Again.. thank you. Well done.
http://www.macnode.com/articles/bind.html -
needs revamp for 10.3
2004-08-06 03:40:52 vcoadmin [Reply | View]
Yes even though it's a year later your guess is right as i've had to get around this erata myself
i asked this lot to update this and so have others but it falls on deaf ears.
sudo chmod 0755 /system/library/startupitems/bind/bind
Is how it should've read your spoton as the articles instructions send you of to oblivion.
Personally i would like to see this article revisited and redone for Panther users etc
as this docs good but Vague and partially misleading.
Another thing for those unaware Jaguar/Panther
have onboard Mailserver capabillities which
just need to be enabled (saves getting OSX server :P)
Postfix enabler is a handy program also worth a lookin.
Mac OSX has allsorts to offer yet getting it to work is another question alltogether.
I had Bind9.2.3 automaticly starting with
Panther many moons ago but stuffed if i can get it to do it now this using the articles above methods explained.
Now so far each time i've had to manually start
the dns through stellardns not handy.
I've now come back here to backtrack and nitpick this method as it's in need of work. -
needs revamp for 10.3
2004-08-06 06:05:48 Jason Deraleau |
[Reply | View]
The majority of the article is still accurate and pertinent. The only parts that may cause some users issue is the section on getting BIND to start automatically. On Panther, it's simply a matter of modifying/etc/hostconfigso that theDNSSERVERline is-YES-.
All of the other information on working with zones and the different types of zones remains true for Panther (and really, all versions of BIND 8 and up).
-
needs revamp for 10.3
2006-10-18 12:27:28 ecstreem [Reply | View]
Needs even more revamp for 10.4. I've been fiddling with Bind trying to install it using this article. I haven't worked out the bugs but I did find a few answers to hurdles I've encoutnered. I couldn't get Bind to autostart using your directions. Because Tiger used launchd, you need to modify:
/System/Library/LaunchDaemons/org.isc.named.plist
Change
<key>Disabled</key>
<true/>
to
<key>Disable</key>
<false/>
I found I also had to run:
sudo /usr/sbin/rndc-confgen -a to create the rndc.key file.
The PLIST edit came from:
http://blogs.vislab.usyd.edu.au/index.php/Masa/2006/09/05/bind_on_os_x_tiger
twh
-
Trailing dots!
2003-06-09 11:21:15 anonymous2 [Reply | View]
Hello Jason, I know you from the Mac OS X Server mailing list and we've also chatted a couple of times on iChat. I read your article as a nice introduction to a simple DNS configuration, but I feel there are some things you left out that maybe should have been included, like the configuration of the forward loopback zone.
Other than that, the article is very consice and complete... good in short. Just some tiny details that escaped you:
1.168.192.in-addr.arpa IN SOA ns.example.com. root.example.com.
You forgot to put the trailing dot just after the "in-addr.arpa" record pointing to the SOA entry. And also:
; name servers
1.168.192.in-addr.arpa IN NS ns1.example.com.
1.168.192.in-addr.arpa IN NS ns2.example.com.
The trailing dots are missing there too! The funny thing is that you even mention it in the paragraph below: "be careful about those trailing dots"! Looks like it bit you!
Well Jason, thanks for your offerings for the Mac-UNIX community, I'm sure plenty here appreciate them. Congratulations on all the articles you're already published, keep up the good work!
Sincerely,...
Juan Manuel Palacios (jmpalacios@mac.com)
(you rememeber me now?)
-
OS X Server 10.2.5 installation
2003-05-06 11:07:23 anonymous2 [Reply | View]
I installed BIND 9.2.2 on a OSX server and it will not startup. (I forget what the system log said exactly, but it wasn't very helpful, just didn't start). Any advice on getting BIND 9.2.2 to run on a Jaguar server? Anyone?
-
Success !!!
2003-05-05 18:19:38 anonymous2 [Reply | View]
I disagree on the fact that this article has significant flaws. It's easy and mostly "it works"...
Truth is, nobody faint at heart should anyway try to install bind9 on OS X just for the fun... :-)
Most articles around don't even tackle the problem in securing zone transfers. I myself often leech around transfering zones from other servers to check how they've configured some things and to be honest, most of the servers around don't have secured transfers.
Anyway, just to share my experience, when I found this article I was already downloading and compiling bind through the tools made by the fink project (http://fink.sourceforge.net/)... their stuff is quite good and it might be worth a mention.
It stormed through the installation and compiling process and it also installed another 15 packages. Some xml libraries and other stuff I'm not exactly sure if they where needed (mainly because I trust the author of this article that simply downloading and compiling from isc.org works).
Anyway I was also able to implement keys and rndc without much effort and I currently have 4 nameservers (2 on linux 1 on FreeBSD and 1 on OS X) that are working great in a matter of a day of work. I assume that the target audience of this article is not going to run bind9 for a large scale zone without even reading some books. Understanding all the fuss behind keys, rndc and acl classes is way out of the scope (my opinion) and it took me some time to "process" all the concepts.
Three questions for all of you BIND gurus around somewhere:
Question 1:
Can you give some advice on changing things so that named starts with uid named and not root? Where should I act and what privs should I give.
Question 2:
Can you point me out some good place (or some help directly) where I can find info on setting up zones in that kind of inverted master-slave configuration I've read about somewhere. I mean having a master server act as a slave for the rest of the world and a slave acting as master, so that I can have an in-house server on the OS X that IS the master, but queries will go mainly to the slave machine thinking that HE is the master.
You know, the idea of managing zones with bbedit is way too tempting... :-)
Question 3:
In an OS X Server enviroment, is there a way to use the nifty ServerSettings.app to start bind9 instead of bind8? I'm afraid it could cause some conflicts. Does that app rely on any script somewhere that we can modify. Since I'm also a brand new cocoa-newbie, It might be fun just to write a plug for those tools but I can't find any help on where to look for documentation on exapnding those utilities (assuming there is a way).
Hoping not to have driven the discussion too off-topic,
warm regards from italy,
rdm -
Success !!!
2003-05-31 16:18:58 macmartin [Reply | View]
I agree that this article is pretty much all-right an just enough for the first try-outs on DNS.
I think seriously using such powerful tools like BIND of course need some deeper understanding on the theory behind it such as TCP/IP, ISO-OSI etc.
Concerning your questions I can only give it a try (any reactions will be appreciated)
Q1:
No idea whatīs the reason for this wish
- on my system (10.2.6) there is not even a user "named" in the passwd by default
It might work, if you would chown named the named - file and set the SUID-BIT:
# sudo chown named /usr/sbin/named
# sudo chmod u+s /usr/sbin/named
Plese post, whether this works.
Of course the user "named" must have sufficient rights to do the job well.
Q2:
I donīt know. whether I got you right, because it seems so simple to me.
Just tell the client-machines that their DNS-Server is the machine (your slave who acts as master) that you want to do the main work of name resolution.
This should make them ask the slave.
Cantīt say anything about Mac OS X Server, since I donīt have it.
Hope this will push the discussion.
By the way:
If anyone is interested in some occasional email-exchange on Howto configure Mac OS X please post
I myself have configured BIND 8.3.4 mainly with the help of an article about BIND on SuSE Linux.
If only someone could tell me what the
named[1024]: Forwarding source address is [0.0.0.0].49246
in the system.log means, Doesnīt seem to be correct.
greetings from germany
macmartin
-
getting error w/directions
2003-04-30 15:27:08 anonymous2 [Reply | View]
I actually have the most recent o'reilly bind book, but hopefully this is just a simple error. I followed the directions in the article (with bind9 just compiled), however, i get this in my system log on os x 10.2.5
Apr 30 18:20:46 howard named[265]: listening on IPv4 interface lo0, 127.0.0.1#53
Apr 30 18:20:46 howard named[265]: listening on IPv4 interface en0, 192.168.1.107#53
Apr 30 18:20:46 howard ntpdate[288]: ntpdate 4.1.1@1.786 Sun Jul 14 03:19:16 PDT 2002 (1)
Apr 30 18:20:46 howard named[265]: none:0: open: /usr/local/bind9/etc/rndc.key: file not found
Apr 30 18:20:46 howard named[265]: couldn't add command channel 127.0.0.1#953: file not found
Apr 30 18:20:46 howard named[265]: none:0: open: /usr/local/bind9/etc/rndc.key: file not found
Apr 30 18:20:46 howard named[265]: couldn't add command channel ::1#953: file not found
Apr 30 18:20:46 howard named[265]: entropy.c:280: unexpected error:
Apr 30 18:20:46 howard named[265]: fcntl(10, F_SETFL, 4): Operation not supported by device
Apr 30 18:20:46 howard named[265]: could not open entropy source /dev/random: unexpected error
Apr 30 18:20:46 howard named[265]: couldn't open pid file '/usr/local/bind9/var/run/named.pid': No su
ch file or directory
any ideas??? i'm gonna look it up later to see what went wrong, but any hints would be most appreciated. -
getting error w/directions
2003-12-18 06:33:30 dst [Reply | View]
Hi,
When Istarted my DNS sever,it works properly. After a few days it fails and I got an error message:
Dec 18 16:01:54 eagle named[252]: [ID 873579 daemon.error] none:0: open: /etc/rndc.key: file not found
Dec 18 16:01:54 eagle named[252]: [ID 873579 daemon.notice] couldn't add command channel 127.0.0.1#953: file not found
So how can i fix it? I expect your immediate reply. Thanks!
-
getting error w/directions
2003-12-18 06:18:31 dst [Reply | View]
Dec 18 16:01:54 eagle named[252]: [ID 873579 daemon.error] none:0: open: /etc/rndc.key: file not found
Dec 18 16:01:54 eagle named[252]: [ID 873579 daemon.notice] couldn't add command channel ::1#953: file not found
-
getting error w/directions
2003-12-18 06:03:15 anonymous2 [Reply | View]
Dec 18 16:01:52 eagle named[252]: [ID 873579 daemon.notice] starting BIND 9.2.3
Dec 18 16:01:54 eagle named[252]: [ID 873579 daemon.error] none:0: open: /etc/rndc.key: file not found
Dec 18 16:01:54 eagle named[252]: [ID 873579 daemon.notice] couldn't add command channel 127.0.0.1#953: file not found
-
getting error w/directions
2003-05-22 15:24:25 anonymous2 [Reply | View]
I got this same set of errors as well. Reading from the ISC web site ( http://www.isc.org/products/BIND/bind9.html ): OS X 10.1.4 (Darwin 5.4) reports errors like "fcntl(3, F_SETFL, 4): Operation not supported by device". This is due to a bug in "/dev/random" and impacts the server's DNSSEC support.
I'm running 10.2.6 (Darwin Kernel Version 6.5) and I still see it. How did the author get it to work?? -
getting error w/directions
2003-12-03 21:43:40 anonymous2 [Reply | View]
Hi,
I seem to be getting some of the errors from above:
Dec 3 21:40:52 localhost named[527]: starting BIND 9.2.3 -c /etc/named.conf
Dec 3 21:40:52 localhost named[527]: using 1 CPU
Dec 3 21:40:52 localhost named[527]: loading configuration from '/etc/named.conf'
Dec 3 21:40:52 localhost named[527]: listening on IPv4 interface lo0, 127.0.0.1#53
Dec 3 21:40:52 localhost named[527]: listening on IPv4 interface en1, 10.0.1.4#53
Dec 3 21:40:52 localhost named[527]: none:0: open: /usr/local/bind9/etc/rndc.key: file not found
Dec 3 21:40:52 localhost named[527]: /etc/named.conf:7: couldn't install keys for command channel 127.0.0.1#54: file not found
Dec 3 21:40:52 localhost named[527]: /etc/named.conf:7: couldn't add command channel 127.0.0.1#54: file not found
Dec 3 21:40:52 localhost named[527]: couldn't open pid file '/usr/local/bind9/var/run/named.pid': No such file or directory
Dec 3 21:40:52 localhost named[527]: exiting (due to early fatal error)
I added the var/run directories under /usr/local/bind9 and it starts up fine, but still no luck with the etc/rndc.key file. Can you explain these problems? Author?
Thanks for the great article! -
getting error w/directions
2003-12-04 05:23:57 Jason Deraleau |
[Reply | View]
Here: http://www.oreillynet.com/cs/user/view/cs_msg/17133
You'll find a post which discusses what rndc does and why you're seeing that error. -
getting error w/directions
2003-12-04 18:41:40 anonymous2 [Reply | View]
Hi! Thanks for the quick response. I now understand the rndc error. As for the other error:
==========
Dec 3 21:40:52 localhost named[527]: couldn't open pid file '/usr/local/bind9/var/run/named.pid': No such file or directory
Dec 3 21:40:52 localhost named[527]: exiting (due to early fatal error)
===========
Why is it trying to put the pid file under the install directory. I thought the default configuration for the named.pid was in /var/run?
Did I miss something in the compilation?
Any input is greatly appreciated.
Thanks!
Paolo
-
That anonymous poster is back! : )
2003-04-16 20:53:50 anonymous2 [Reply | View]
Hi.
Sorry for being so hard last time, but I believe if you are going to set up something like BIND you should do it correctly and let people know about all the options.
Yes maybe I was a bit unfair in saying you didn't consider the security options when you did take zone transfer into consideration (which a lot of people don't when they first set it up). Thanks for following up and providing the details on recursion so that people understand what they have to do.
The only other points I would make beside rndc (again) would be that you do not use /var/named at all for your config files. If you make bind9 in /usr/local/ your conf files and zones should be in there as well (eg: /usr/local/var/named). Although it is normal practice on many other systems to use /var/named it would be wise to make your own directories, conf and zone files and not touch the Apple supplied files. This way if they change them, you don't have to worry about them altering/deleting your files.
For people who are setting up BIND9 they should make sure they have the BIND 9 Administrator Reference Manual (http://www.nominum.com/content/documents/bind9arm.pdf) as this will answer a lot of questions and has good examples in it.
Also the mailing list archives are a good place to search in case you get stuck and I am also on there as well.
Just some extra thought.
-
Author's Note on Recursion and Security
2003-04-16 13:54:35 Jason Deraleau |
[Reply | View]
An anonymous poster brought up an excellent point about securing the recursion feature of named. For those of you who aren't as familiar with the DNS, here's a brief explanation of how DNS queries work and what recursion does.
Your client computer has the bare necessities for DNS resolution. It basically knows how to ask a DNS server for information. It doesn't know about root servers or how the DNS space really works. It just knows that it has to ask ns1.myisp.com to resolve www.yahoo.com. When your client machine sends a request to your ISP's DNS server, it is done using what is known as a recursive query.
A recursive query puts the complete task of name resolution upon the queried server. Because your client computer doesn't know enough about how DNS is setup, it uses a recursive query to ask your ISP's name server. Your ISP's name server will then search its cache for the data. If it's not found, it will attempt to query the root servers. The root servers will then tell your ISP's name server where the name servers for the com top level domain are. Your ISP's name server will then query the com servers for where yahoo's name servers are. Finally, your ISP's name server will query the yahoo.com servers for the www record. As you can see here, your ISP's name server is doing most of the work.
In earlier versions of BIND there were few tools that could be used to keep someone from using your name server for recursive queries. This presented issues from a security and resources angle. With later releases, the ISC added tools to restrict who can use your server for recursive querying. It's a pretty painless process. If you'd like to turn off recursion completely, add the following to your named.conf file in the options section:
options {
. . .
recursion no;
};
Realize that by disabling recursion completely, your name server cannot be used to do lookups by your client machines. So if you're using the DNS server to do lookups for your LAN, you need to have recursion on. However, you can restrict recursion to a network as follows:
options {
. . .
allow-recursion {
127.0.0.0/8;
192.168.1.0/27;
};
};
-
Another article like this on macosxhints
2003-04-16 08:32:02 anonymous2 [Reply | View]
http://www.macosxhints.com/article.php?story=20021203063409206
-
obviously no one checked this before posting!
2003-04-16 00:45:58 anonymous2 [Reply | View]
can you remove the article as its full of mistakes and does not teach people the correct way of setting up bind 9.2.2 at all.
for example you have: ./configure -prefix=/usr/local/bind9 - it should be: ./configure --prefix=/usr/local/bind9
there is no mention of rndc which is the correct way to control and manage bind 9.
and last but not least, no security considerations at all.
basically if you follow these directions, you have a full recursive dns server for anyone in the world to use and abuse.
disappointed in such a bad article has flagship status on o'reilly! -
Re: obviously no one checked this before posting! - author note
2003-04-16 13:53:08 Jason Deraleau |
[Reply | View]
First off, thanks for pointing out the typo in the configure script's line. Sometimes the little things slip through :) As to the rest of your post, you bring up some very valid points:
* I agree that rndc is the way that one should work with the named daemon of BIND 9, much like one /should/ use ndc when working with earlier versions. In my experience, they don't get used very often. While both rndc and ndc are useful tools, you can still call named directly and get the job done. That's not to discount these tools; by not using rndc, you do give up some nice features.
The ability to remotely control your DNS server is a beautiful thing, but I hardly feel it is something to be covered in an article that is intended for an introductory audience. Since not using rndc poses little more than a warning in the logs, as well as for simplicity's sake, I have not covered it here. For those who are a little more comfortable with BIND and are looking to use this great tool, a "man -M /usr/local/bind9/man rndc" should get you started in the right direction.
* As far as your statement about a lack of security considerations, I do not feel this is completely accurate. While I agree that recursion is an important topic, especially in light of the security flaw which was recently found (and since corrected) that affected recursive servers, saying that I didn't take security at all into consideration is unfair. I did in fact cover securing zone transfers.
Recursion is a pertinent feature and definitely worth discussing, but I initially feared that i would go beyond the original scope of the article. In order to help alleviate your concern, I'm going to make a separate post in regards to describing recursion and how to secure recursion in named.
Again, thanks for your help with the typo and your excellent feedback.
The author, Jason Deraleau
-
obviously no one checked this before posting! --Ed Note
2003-04-16 09:36:02 Derrick Story |
[Reply | View]
Hi. I don't think the situation is quite as dire as you portray in your talkback. I'm checking with the author now, and we'll follow up here within a few hours.
Thanks for bringing this to our attention!
-Derrick
I'm good to here, then I get "no such file or directory". Can anyone help? I'm pulling my hair out! (OSX 10.2.8) Previous references to startupitems were in the /system/library... Is that what I should be referencing?
Thanks,
Rick