- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.106 2009/04/02 15:11:38 jreed Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.107 2009/04/02 15:28:09 jreed Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
</programlisting>
<para>
- The algorithm,
hmac-md5, is the only one supported by <acronym>BIND</acronym>.
+ The algorithm,
<literal>hmac-md5</literal>, is the only one supported by <acronym>BIND</acronym>.
The secret is the one generated above. Since this is a secret, it
is recommended that either <filename>named.conf</filename> be non-world
readable, or the key directive be added to a non-world readable
be denoted <command>key host1-host2.</command>
</para>
<para>
- An example of an allow-update directive would be:
+ An example of an <command>allow-update</command> directive would be:
</para>
<programlisting>
<command>allow-update</command>,
<command>allow-update-forwarding</command>, and
<command>blackhole</command> all use address match
- lists. Similarly, the listen-on option will cause the
+ lists. Similarly, the <command>listen-on</command> option will cause the
server to not accept queries on any of the machine's
addresses which do not match the list.
</para>
slash) and continue to the end of the physical line. They cannot
be continued across multiple physical lines; to have one logical
comment span multiple lines, each line must use the // pair.
- </para>
- <para>
For example:
</para>
<para>
with the character <literal>#</literal> (number sign)
and continue to the end of the
physical line, as in C++ comments.
- </para>
- <para>
For example:
</para>
<para>
The pathname of the file the server writes its process ID
in. If not specified, the default is <filename>/var/run/named.pid</filename>.
- The pid-file is used by programs that want to send signals to
+ The PID file is used by programs that want to send signals to
the running
name server. Specifying <command>pid-file none</command> disables the
use of a PID file — no file will be written and any
<para>
The interfaces and ports that the server will answer queries
from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
- an optional port, and an <varname>address_match_list</varname>.
+ an optional port and an <varname>address_match_list</varname>.
The server will listen on all interfaces allowed by the address
match list. If a port is not specified, port 53 will be used.
</para>
to be used, you should set
<command>use-alt-transfer-source</command>
appropriately and you should not depend upon
- getting a answer back to the first refresh
+ getting an answer back to the first refresh
query.
</note>
</listitem>
<term><command>edns-udp-size</command></term>
<listitem>
<para>
- Sets the advertised EDNS UDP buffer size in bytes. Valid
- values are 512 to 4096 (values outside this range
- will be silently adjusted). The default value is
- 4096. The usual reason for setting edns-udp-size to
- a non-default value is to get UDP answers to pass
- through broken firewalls that block fragmented
- packets and/or block UDP packets that are greater
- than 512 bytes.
+ Sets the advertised EDNS UDP buffer size in bytes
+ to control the size of packets received.
+ Valid values are 512 to 4096 (values outside this range
+ will be silently adjusted). The default value
+ is 4096. The usual reason for setting
+ <command>edns-udp-size</command> to a non-default
+ value is to get UDP answers to pass through broken
+ firewalls that block fragmented packets and/or
+ block UDP packets that are greater than 512 bytes.
</para>
</listitem>
</varlistentry>
send in bytes. Valid values are 512 to 4096 (values outside
this range will be silently adjusted). The default
value is 4096. The usual reason for setting
- max-udp-size to a non-default value is to get UDP
+ <command>max-udp-size</command> to a non-default value is to get UDP
answers to pass through broken firewalls that
block fragmented packets and/or block UDP packets
that are greater than 512 bytes.
loopback address and the IPv6 unknown addresss.
</para>
<para>
- Named will attempt to determine if a built in zone already exists
+ Named will attempt to determine if a built-in zone already exists
or is active (covered by a forward-only forwarding declaration)
and will not create a empty zone in that case.
</para>
<note>
The real parent servers for these zones should disable all
empty zone under the parent zone they serve. For the real
- root servers, this is all built in empty zones. This will
+ root servers, this is all built-in empty zones. This will
enable them to return referrals to deeper in the tree.
</note>
<variablelist>
<filename>ex/example.com</filename> where <filename>ex/</filename> is
just the first two letters of the zone name. (Most
operating systems
- behave very slowly if you put 100 000 files into
+ behave very slowly if you put 100000 files into
a single directory.)
</para>
</entry>
the mail will be delivered to the server specified in the MX
record
pointed to by the CNAME.
- </para>
- <para>
For example:
</para>
<informaltable colsep="0" rowsep="0">
<para>
Specifies the time-to-live of the generated records. If
not specified this will be inherited using the
- normal ttl inheritance rules.
+ normal TTL inheritance rules.
</para>
<para><command>class</command>
and <command>ttl</command> can be
<sect1 id="Access_Control_Lists">
<title>Access Control Lists</title>
<para>
- Access Control Lists (ACLs), are address match lists that
+ Access Control Lists (ACLs) are address match lists that
you can set up and nickname for future use in <command>allow-notify</command>,
<command>allow-query</command>, <command>allow-recursion</command>,
<command>blackhole</command>, <command>allow-transfer</command>,
<sect1>
<title><command>Chroot</command> and <command>Setuid</command></title>
<para>
- On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
- (using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
- option. This can help improve system security by placing <acronym>BIND</acronym> in
- a "sandbox", which will limit the damage done if a server is
- compromised.
+ On UNIX servers, it is possible to run <acronym>BIND</acronym>
+ in a <emphasis>chrooted</emphasis> environment (using
+ the <command>chroot()</command> function) by specifying
+ the "<option>-t</option>" option for <command>named</command>.
+ This can help improve system security by placing
+ <acronym>BIND</acronym> in a "sandbox", which will limit
+ the damage done if a server is compromised.
</para>
<para>
Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
user 202:
</para>
<para>
- <userinput>/usr/local/bin/named -u 202 -t /var/named</userinput>
+ <userinput>/usr/local/sbin/named -u 202 -t /var/named</userinput>
</para>
<sect2>
BIND architecture.
</para>
<para>
- BIND version 4 is officially deprecated and BIND version
- 8 development is considered maintenance-only in favor
- of BIND version 9. No additional development is done
- on BIND version 4 or BIND version 8 other than for
- security-related patches.
+ BIND versions 4 and 8 are officially deprecated.
+ No additional development is done
+ on BIND version 4 or BIND version 8.
</para>
<para>
<acronym>BIND</acronym> development work is made
projects / thirdparty / bind9.git / commitdiff
