- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.27.2.69 2006/05/17 02:18:05 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.27.2.70 2006/06/09 00:38:57 marka Exp $ -->
<book>
<title>BIND 9 Administrator Reference Manual</title>
<emphasis>caching server</emphasis> are often used synonymously.</para>
<para>The length of time for which a record may be retained in
-in the cache of a caching name server is controlled by the
+the cache of a caching name server is controlled by the
Time To Live (TTL) field associated with each resource record.
</para>
<varlistentry> <term><userinput>freeze <optional><replaceable>zone</replaceable>
<optional><replaceable>class</replaceable>
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
- <listitem><para>Suspend updates to a dynamic zone. If no zone is specified
+ <listitem><para>Suspend updates to a dynamic zone. If no zone is specified,
then all zones are suspended. This allows manual
edits to be made to a zone normally updated by dynamic update. It
also causes changes in the journal file to be synced into the master
<optional><replaceable>class</replaceable>
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
<listitem><para>Enable updates to a frozen dynamic zone. If no zone is
- specified then all frozen zones are enabled. This causes
+ specified, then all frozen zones are enabled. This causes
the server to reload the zone from disk, and re-enables dynamic updates
after the load has completed. After a zone is thawed, dynamic updates
will no longer be refused.</para></listitem>
<varlistentry><term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
<listitem><para>Dump the server's caches (default) and / or zones to the
- dump file for the specified views. If no view is specified all
+ dump file for the specified views. If no view is specified, all
views are dumped.</para></listitem></varlistentry>
<varlistentry><term><userinput>stop <optional>-p</optional></userinput></term>
<varlistentry><term><userinput>status</userinput></term>
<listitem><para>Display status of the server.
-Note the number of zones includes the internal <command>bind/CH</command> zone
-and the default <command>./IN</command> hint zone if there is not a
+Note that the number of zones includes the internal <command>bind/CH</command> zone
+and the default <command>./IN</command> hint zone if there is not an
explicit root zone configured.</para></listitem></varlistentry>
<varlistentry><term><userinput>recursing</userinput></term>
port is given on the command line or in a
<command>server</command> statement.</para>
-<para>The <command>key</command> statement defines an key to be used
+<para>The <command>key</command> statement defines a key to be used
by <command>rndc</command> when authenticating with
<command>named</command>. Its syntax is identical to the
<command>key</command> statement in named.conf.
<para>The zone files of dynamic zones cannot normally be edited by
hand because they are not guaranteed to contain the most recent
- dynamic changes - those are only in the journal file.
+ dynamic changes — those are only in the journal file.
The only way to ensure that the zone file of a dynamic zone
is up to date is to run <command>rndc stop</command>.</para>
<listitem>
<simpara>Look up any hostnames on the Internet.</simpara></listitem>
<listitem>
- <simpara>Exchange mail with internal AND external people.</simpara></listitem></itemizedlist>
+ <simpara>Exchange mail with both internal AND external people.</simpara></listitem></itemizedlist>
<para>Hosts on the Internet will be able to:</para>
<itemizedlist><listitem>
<simpara>Look up any hostnames in the <literal>site1</literal> and
An arbitrary key name is chosen: "host1-host2.". The key name must
be the same on both hosts.</para>
<sect3><title>Automatic Generation</title>
-<para>The following command will generate a 128 bit (16 byte) HMAC-MD5
+<para>The following command will generate a 128-bit (16 byte) HMAC-MD5
key as described above. Longer keys are better, but shorter keys
are easier to read. Note that the maximum key length is 512 bits;
-keys longer than that will be digested with MD5 to produce a 128
-bit key.</para>
+keys longer than that will be digested with MD5 to produce a
+128-bit key.</para>
<para><userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput></para>
<para>The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
Nothing directly uses this file, but the base-64 encoded string
<para>When a SIG(0) signed message is received, it will only be
verified if the key is known and trusted by the server; the server
- will not attempt to locate and/or validate the key.</para>
+ will not attempt to locate and / or validate the key.</para>
<para>SIG(0) signing of multiple-message TCP streams is not
supported.</para>
designated as "mandatory to implement" by the IETF; currently
the only one is RSASHA1.</para>
- <para>The following command will generate a 768 bit RSASHA1 key for
+ <para>The following command will generate a 768-bit RSASHA1 key for
the <filename>child.example</filename> zone:</para>
<para><userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput></para>
generate <literal>NSEC</literal> and <literal>RRSIG</literal>
records for the zone, as well as <literal>DS</literal> for
the child zones if <literal>'-d'</literal> is specified.
- If <literal>'-d'</literal> is not specified then DS RRsets for
+ If <literal>'-d'</literal> is not specified, then DS RRsets for
the secure child zones need to be added manually.</para>
<para>The following command signs the zone, assuming it is in a
<para>
To enable <command>named</command> to respond appropriately
- to DNS requests from DNSSEC aware clients
+ to DNS requests from DNSSEC aware clients,
<command>dnssec-enable</command> must be set to yes.
</para>
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
-/* Key for out organizations forward zone */
+/* Key for our organization's forward zone */
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
<entry colname = "2"><para>An IP port <varname>number</varname>.
<varname>number</varname> is limited to 0 through 65535, with values
below 1024 typically restricted to use by processes running as root.
-In some cases an asterisk (`*') character can be used as a placeholder to
+In some cases, an asterisk (`*') character can be used as a placeholder to
select a random high-numbered port.</para></entry>
</row>
<row rowsep = "0">
</row>
<row rowsep = "0">
<entry colname = "1"><para><varname>number</varname></para></entry>
-<entry colname = "2"><para>A non-negative 32 bit integer
+<entry colname = "2"><para>A non-negative 32-bit integer
(i.e., a number between 0 and 4294967295, inclusive).
Its acceptable value might further
be limited by the context in which it is used.</para></entry>
permissions set such that only the owner of the file (the user that
<command>named</command> is running as) can access it. If you
desire greater flexibility in allowing other users to access
- <command>rndc</command> commands then you need to create an
- <filename>rndc.conf</filename> and make it group readable by a group
+ <command>rndc</command> commands, then you need to create a
+ <filename>rndc.conf</filename> file and make it group readable by a group
that contains the users who should have access.</para>
<para>The UNIX control channel type of <acronym>BIND</acronym> 8 is not supported
<para>If you use the <command>versions</command> log file option, then
<command>named</command> will retain that many backup versions of the file by
-renaming them when opening. For example, if you choose to keep 3 old versions
-of the file <filename>lamers.log</filename> then just before it is opened
+renaming them when opening. For example, if you choose to keep three old versions
+of the file <filename>lamers.log</filename>, then just before it is opened
<filename>lamers.log.1</filename> is renamed to
<filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
specified.
</para>
<para>
-The query log entry reports the client's IP address and port number. The
+The query log entry reports the client's IP address and port number, and the
query name, class and type. It also reports whether the Recursion Desired
flag was set (+ if set, - if not set), EDNS was in use (E) or if the
query was signed (S).</para>
<varlistentry><term><command>preferred-glue</command></term>
<listitem><para>
-If specified the listed type (A or AAAA) will be emitted before other glue
+If specified, the listed type (A or AAAA) will be emitted before other glue
in the additional section of a query response.
The default is not to preference any type (NONE).
</para>
and root zones with an optional exclude list.
</para>
<para>
-Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
+Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
</para>
<programlisting>
options {
<varlistentry><term><command>dnssec-lookaside</command></term>
<listitem><para>
-When set <command>dnssec-lookaside</command> provides the
+When set, <command>dnssec-lookaside</command> provides the
validator with an alternate method to validate DNSKEY records at the
top of a zone. When a DNSKEY is at or below a domain specified by the
deepest <command>dnssec-lookaside</command>, and the normal dnssec validation
<varlistentry><term><command>dnssec-must-be-secure</command></term>
<listitem><para>
-Specify heirarchies which must / may not be secure (signed and validated).
-If <userinput>yes</userinput> then named will only accept answers if they
+Specify heirarchies which must be or may not be secure (signed and validated).
+If <userinput>yes</userinput>, then named will only accept answers if they
are secure.
-If <userinput>no</userinput> then normal dnssec validation applies
+If <userinput>no</userinput>, then normal dnssec validation applies
allowing for insecure answers to be accepted.
The specified domain must be under a <command>trusted-key</command> or
<command>dnssec-lookaside</command> must be active.
<varlistentry><term><command>dialup</command></term>
<listitem><para>If <userinput>yes</userinput>, then the
server treats all zones as if they are doing zone transfers across
-a dial on demand dialup link, which can be brought up by traffic
+a dial-on-demand dialup link, which can be brought up by traffic
originating from this server. This has different effects according
to zone type and concentrates the zone maintenance so that it all
happens in a short interval, once every <command>heartbeat-interval</command> and
<command>zone</command> statements,
in which case it overrides the global <command>dialup</command>
option.</para>
-<para>If the zone is a master zone then the server will send out a NOTIFY
+<para>If the zone is a master zone, then the server will send out a NOTIFY
request to all the slaves (default). This should trigger the zone serial
number check in the slave (providing it supports NOTIFY) allowing the slave
to verify the zone while the connection is active.
<varlistentry><term><command>ixfr-from-differences</command></term>
<listitem>
<para>
-When 'yes' and the server loads a new version of a master
+When <userinput>yes</userinput> and the server loads a new version of a master
zone from its zone file or receives a new version of a slave
file by a non-incremental zone transfer, it will compare
the new version to the previous one and calculate a set
<listitem>
<para>
This should be set when you have multiple masters for a zone and the
-addresses refer to different machines. If 'yes' named will not log
+addresses refer to different machines. If <userinput>yes</userinput>, named will not log
when the serial number on the master is less than what named currently
has. The default is <userinput>no</userinput>.
</para></listitem></varlistentry>
<varlistentry><term><command>dnssec-enable</command></term>
<listitem>
<para>
-Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>
+Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>,
named behaves as if it does not support DNSSEC.
The default is <userinput>no</userinput>.
</para></listitem></varlistentry>
<varlistentry><term><command>querylog</command></term>
<listitem>
<para>
-Specify whether query logging should be started when named start.
-If <command>querylog</command> is not specified then the query logging
+Specify whether query logging should be started when named starts.
+If <command>querylog</command> is not specified, then the query logging
is determined by the presence of the logging category <command>queries</command>.
</para></listitem></varlistentry>
from the network. The default varies according to usage area. For
<command>master</command> zones the default is <command>fail</command>.
For <command>slave</command> zones the default is <command>warn</command>.
-For answer received from the network (<command>response</command>)
+For answers received from the network (<command>response</command>)
the default is <command>ignore</command>.
</para>
-<para>The rules for legal hostnames or mail domains are derived from RFC 952
+<para>The rules for legal hostnames and mail domains are derived from RFC 952
and RFC 821 as modified by RFC 1123.
</para>
<para><command>check-names</command> applies to the owner names of A, AAA and
<varlistentry><term><command>forward</command></term>
<listitem><para>This option is only meaningful if the
forwarders list is not empty. A value of <varname>first</varname>,
-the default, causes the server to query the forwarders first, and
-if that doesn't answer the question the server will then look for
+the default, causes the server to query the forwarders first — and
+if that doesn't answer the question, the server will then look for
the answer itself. If <varname>only</varname> is specified, the
server will only query the forwarders.
</para></listitem></varlistentry>
<variablelist>
<varlistentry><term><command>dual-stack-servers</command></term>
<listitem><para>Specifies host names or addresses of machines with access to
-both IPv4 and IPv6 transports. If a hostname is used the server must be able
+both IPv4 and IPv6 transports. If a hostname is used, the server must be able
to resolve the name using only the transport it has. If the machine is dual
-stacked then the <command>dual-stack-servers</command> have no effect unless
+stacked, then the <command>dual-stack-servers</command> have no effect unless
access to a transport has been disabled on the command line
(e.g. <command>named -4</command>).</para></listitem>
</varlistentry>
query other name servers. <command>query-source</command> specifies
the address and port used for such queries. For queries sent over
IPv6, there is a separate <command>query-source-v6</command> option.
-If <command>address</command> is <command>*</command> or is omitted,
+If <command>address</command> is <command>*</command> (asterisk) or is omitted,
a wildcard IP address (<command>INADDR_ANY</command>) will be used.
If <command>port</command> is <command>*</command> or is omitted,
-a random unprivileged port will be used, <command>avoid-v4-udp-ports</command>
-and <command>avoid-v6-udp-ports</command> can be used to prevent named
-from selecting certain ports. The defaults are</para>
+a random unprivileged port will be used. The <command>avoid-v4-udp-ports</command>
+and <command>avoid-v6-udp-ports</command> options can be used to prevent named
+from selecting certain ports. The defaults are:</para>
<programlisting>query-source address * port *;
query-source-v6 address * port *;
</programlisting>
</para>
<note>
If you do not wish the alternate transfer source
- to be used you should set
+ to be used, you should set
<command>use-alt-transfer-source</command>
appropriately and you should not depend upon
getting a answer back to the first refresh
</listitem></varlistentry>
<varlistentry><term><command>host-statistics-max</command></term>
-<listitem><para>In BIND 8, specifies the maximum number of host statistic
+<listitem><para>In BIND 8, specifies the maximum number of host statistics
entries to be kept.
Not implemented in BIND 9.
</para></listitem></varlistentry>
<listitem><para>The server will remove expired resource records
from the cache every <command>cleaning-interval</command> minutes.
The default is 60 minutes. The maximum value is 28 days (40320 minutes).
-If set to 0, no periodic cleaning will occur.</para>
+If set to 0, no periodic cleaning will occur.</para>
</listitem></varlistentry>
<varlistentry><term><command>heartbeat-interval</command></term>
The client resolver code should rearrange the RRs as appropriate,
that is, using any addresses on the local net in preference to other addresses.
However, not all resolvers can do this or are correctly configured.
-When a client is using a local server the sorting can be performed
+When a client is using a local server, the sorting can be performed
in the server, based on the client's address. This only requires
configuring the name servers, not all the clients.</para>
</programlisting>
<para>If no class is specified, the default is <command>ANY</command>.
If no type is specified, the default is <command>ANY</command>.
-If no name is specified, the default is "<command>*</command>".</para>
+If no name is specified, the default is "<command>*</command>" (asterisk).</para>
<para>The legal values for <command>ordering</command> are:</para>
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
<listitem><para>Sets the number of seconds to cache a
lame server indication. 0 disables caching. (This is
<emphasis role="bold">NOT</emphasis> recommended.)
-Default is <literal>600</literal> (10 minutes). Maximum value is
+The default is <literal>600</literal> (10 minutes) and the maximum value is
<literal>1800</literal> (30 minutes).</para>
</listitem></varlistentry>
<varlistentry><term><command>max-ncache-ttl</command></term>
-<listitem><para>To reduce network traffic and increase performance
+<listitem><para>To reduce network traffic and increase performance,
the server stores negative answers. <command>max-ncache-ttl</command> is
used to set a maximum retention time for these answers in the server
in seconds. The default
<varlistentry><term><command>min-roots</command></term>
<listitem><para>The minimum number of root servers that
-is required for a request for the root servers to be accepted. Default
+is required for a request for the root servers to be accepted. The default
is <userinput>2</userinput>.</para>
<note>
<simpara>Not implemented in <acronym>BIND</acronym> 9.</simpara></note>
<term><command>edns-udp-size</command></term>
<listitem><para>
<command>edns-udp-size</command> sets the advertised EDNS UDP buffer
-size. Valid values are 512 to 4096 (values outside this range will be
+size in bytes. Valid values are 512 to 4096 bytes (values outside this range will be
silently adjusted). The default value is 4096. The usual reason for
-setting edns-udp-size to a non default value it to get UDP answers to
+setting edns-udp-size to a non-default value it to get UDP answers to
pass through broken firewalls that block fragmented packets and/or
block UDP packets that are greater than 512 bytes.
</para></listitem></varlistentry>
be specified.
Similarly, for an IPv6 remote server, only
<command>transfer-source-v6</command> can be specified.
-Form more details, see the description of
+For more details, see the description of
<command>transfer-source</command> and
<command>transfer-source-v6</command> in
<xref linkend="zone_transfers"/>.</para>
<command>trusted-keys</command> are deemed to exist regardless
of what parent zones say. Similarly for all keys listed in
<command>trusted-keys</command> only those keys are
- used to validate the DNSKEY RRset. The parents DS RRset
+ used to validate the DNSKEY RRset. The parent's DS RRset
will not be used.
</para>
<para>
occur inside <command>view</command> statements.</para>
<para>Here is an example of a typical split DNS setup implemented
-using <command>view</command> statements.</para>
+using <command>view</command> statements:</para>
<programlisting>view "internal" {
// This should match our internal networks.
match-clients { 10.0.0.0/8; };
recommended, since it often speeds server startup and eliminates
a needless waste of bandwidth. Note that for large numbers (in the
tens or hundreds of thousands) of zones per server, it is best to
-use a two level naming scheme for zone file names. For example,
+use a two-level naming scheme for zone file names. For example,
a slave server for the zone <literal>example.com</literal> might place
the zone contents into a file called
<filename>ex/example.com</filename> where <filename>ex/</filename> is
forwarding will be done for the domain, canceling the effects of
any forwarders in the <command>options</command> statement. Thus
if you want to use this type of zone to change the behavior of the
-global <command>forward</command> option (that is, "forward first
-to", then "forward only", or vice versa, but want to use the same
+global <command>forward</command> option (that is, "forward first"
+to, then "forward only", or vice versa, but want to use the same
servers as set globally) you need to re-specify the global forwarders.</para>
</entry>
</row>
</row>
<row rowsep = "0">
<entry colname = "1"><para><varname>delegation-only</varname></para></entry>
-<entry colname = "2"><para>This is used to enforce the delegation only
+<entry colname = "2"><para>This is used to enforce the delegation-only
status of infrastructure zones (e.g. COM, NET, ORG). Any answer that
-is received without a explicit or implicit delegation in the authority
+is received without an explicit or implicit delegation in the authority
section will be treated as NXDOMAIN. This does not apply to the zone
-apex. This SHOULD NOT be applied to leaf zones.</para>
+apex. This should not be applied to leaf zones.</para>
<para><varname>delegation-only</varname> has no effect on answers received
from forwarders.</para></entry>
</row>
<varlistentry><term><command>delegation-only</command></term>
<listitem><para>The flag only applies to hint and stub zones. If set
-to <userinput>yes</userinput> then the zone will also be treated as if it
+to <userinput>yes</userinput>, then the zone will also be treated as if it
is also a delegation-only type zone.
</para>
</listitem></varlistentry>
<varlistentry><term><command>forwarders</command></term>
<listitem><para>Used to override the list of global forwarders.
If it is not specified in a zone of type <command>forward</command>,
-no forwarding is done for the zone; the global options are not used.</para>
+no forwarding is done for the zone and the global options are not used.</para>
</listitem></varlistentry>
<varlistentry><term><command>ixfr-base</command></term>
</row>
<row rowsep = "0">
<entry colname = "1"><para>type</para></entry>
-<entry colname = "2"><para>an encoded 16 bit value that specifies
+<entry colname = "2"><para>an encoded 16-bit value that specifies
the type of the resource record.</para></entry>
</row>
<row rowsep = "0">
<entry colname = "1"><para>TTL</para></entry>
-<entry colname = "2"><para>the time to live of the RR. This field
-is a 32 bit integer in units of seconds, and is primarily used by
+<entry colname = "2"><para>the time-to-live of the RR. This field
+is a 32-bit integer in units of seconds, and is primarily used by
resolvers when they cache RRs. The TTL describes how long a RR can
be cached before it should be discarded.</para></entry>
</row>
<row rowsep = "0">
<entry colname = "1"><para>class</para></entry>
-<entry colname = "2"><para>an encoded 16 bit value that identifies
+<entry colname = "2"><para>an encoded 16-bit value that identifies
a protocol family or instance of a protocol.</para></entry>
</row>
<row rowsep = "0">
<row rowsep = "0">
<entry colname = "1"><para>MX</para></entry>
<entry colname = "2"><para>identifies a mail exchange for the domain.
-A 16 bit preference value (lower is better)
+A 16-bit preference value (lower is better)
followed by the host name of the mail exchange.
Described in RFC 974, RFC 1035.</para></entry>
</row>
</row>
</tbody>
</tgroup></informaltable>
-<para>The MX RRs have an RDATA section which consists of a 16 bit
+<para>The MX RRs have an RDATA section which consists of a 16-bit
number followed by a domain name. The address RRs use a standard
-IP address format to contain a 32 bit internet address.</para>
-<para>This example shows six RRs, with two RRs at each of three
+IP address format to contain a 32-bit internet address.</para>
+<para>The above example shows six RRs, with two RRs at each of three
domain names.</para>
<para>Similarly we might see:</para><informaltable colsep = "0"
rowsep = "0"><tgroup cols = "3" colsep = "0" rowsep = "0"
any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
be attempted.</para></sect2>
<sect2 id="Setting_TTLs"><title>Setting TTLs</title>
-<para>The time to live of the RR field is a 32 bit integer represented
+<para>The time-to-live of the RR field is a 32-bit integer represented
in units of seconds, and is primarily used by resolvers when they
cache RRs. The TTL describes how long a RR can be cached before it
should be discarded. The following three types of TTL are currently
<row rowsep = "0">
<entry colname = "1"><para><command>range</command></para></entry>
<entry colname = "2"><para>This can be one of two forms: start-stop
-or start-stop/step. If the first form is used then step is set to
+or start-stop/step. If the first form is used, then step is set to
1. All of start, stop and step must be positive.</para></entry>
</row>
<row rowsep = "0">
<entry colname = "1"><para><command>lhs</command></para></entry>
<entry colname = "2"><para><command>lhs</command> describes the
-owner name of the resource records to be created. Any single <command>$</command> symbols
+owner name of the resource records to be created. Any single
+<command>$</command> (dollar sign) symbols
within the <command>lhs</command> side are replaced by the iterator
value.
To get a $ in the output you need to escape the <command>$</command>
Modifiers are introduced by a <command>{</command> immediately following the
<command>$</command> as <command>${offset[,width[,base]]}</command>.
For example, <command>${-20,3,d}</command> which subtracts 20 from the current value,
-prints the result as a decimal in a zero padded field of width 3. Available
+prints the result as a decimal in a zero-padded field of width 3. Available
output forms are decimal (<command>d</command>), octal (<command>o</command>)
and hexadecimal (<command>x</command> or <command>X</command> for uppercase).
The default modifier is <command>${0,0,d}</command>.
If the <command>lhs</command> is not
absolute, the current <command>$ORIGIN</command> is appended to
the name.</para>
-<para>For compatibility with earlier versions <command>$$</command> is still
+<para>For compatibility with earlier versions, <command>$$</command> is still
recognized as indicating a literal $ in the output.</para></entry>
</row>
<row rowsep = "0">
lists of IP addresses.</para>
<para>It is a <emphasis>good idea</emphasis> to use ACLs, and to
control access to your server. Limiting access to your server by
-outside parties can help prevent spoofing and DoS attacks against
-your server.</para>
+outside parties can help prevent spoofing and denial of service (DoS)
+attacks against your server.</para>
<para>Here is an example of how to properly apply ACLs:</para>
<programlisting>
// Set up an ACL named "bogusnets" that will block RFC1918 space,
<sect1><title><command>chroot</command> and <command>setuid</command> (for
UNIX servers)</title>
<para>On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
-(<command>chroot()</command>) by specifying the "<option>-t</option>"
+(using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
option. This can help improve system security by placing <acronym>BIND</acronym> in
a "sandbox", which will limit the damage done if a server is compromised.</para>
<para>Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
We suggest running as an unprivileged user when using the <command>chroot</command> feature.</para>
-<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot()</command> sandbox,
+<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
<command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
user 202:</para>
<para><userinput>/usr/local/bin/named -u 202 -t /var/named</userinput></para>
<para>Access to the dynamic
update facility should be strictly limited. In earlier versions of
-<acronym>BIND</acronym> the only way to do this was based on the IP
+<acronym>BIND</acronym>, the only way to do this was based on the IP
address of the host requesting the update, by listing an IP address or
network prefix in the <command>allow-update</command> zone option.
This method is insecure since the source address of the update UDP packet
prefixes. Alternatively, the new <command>update-policy</command>
option can be used.</para>
-<para>Some sites choose to keep all dynamically updated DNS data
+<para>Some sites choose to keep all dynamically-updated DNS data
in a subdomain and delegate that subdomain to a separate zone. This
way, the top-level zone containing critical data such as the IP addresses
of public web and mail servers need not allow dynamic update at
core of the new system was described in 1983 in RFCs 882 and
883. From 1984 to 1987, the ARPAnet (the precursor to today's
Internet) became a testbed of experimentation for developing the
- new naming/addressing scheme in an rapidly expanding,
+ new naming/addressing scheme in a rapidly expanding,
operational network environment. New RFCs were written and
published in 1987 that modified the original documents to
incorporate improvements based on the working model. RFC 1034,
handled by Mike Karels and O. Kure.</para>
<para><acronym>BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became <acronym>BIND</acronym>'s primary caretaker. Paul was assisted
+a DEC employee, became <acronym>BIND</acronym>'s primary caretaker. He was assisted
by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
Wolfhugel, and others.</para>
- <para><acronym>BIND</acronym> Version 4.9.2 was sponsored by Vixie Enterprises. Paul
+ <para><acronym>BIND</acronym> version 4.9.2 was sponsored by Vixie Enterprises. Paul
Vixie became <acronym>BIND</acronym>'s principal architect/programmer.</para>
<para><acronym>BIND</acronym> versions from 4.9.3 onward have been developed and maintained
by the Internet Software Consortium with support being provided
projects / thirdparty / bind9.git / commitdiff
