Knowledge Base ISC Main Website Ask a Question/Contact ISC
Quick Jump Menu
Categories
There are no subcategories in this category.
21 DNSSEC validation and BIND9 cache

This KB article discusses some of the problems that can be encountered by BIND9 validating recursive servers due to intermittent problems with authoritative servers providing DNSSEC-signed zones. BIND has competing objectives when handling validation. On…

22 Understanding views in BIND 9, by example

Views in BIND have a bad reputation, with some people advocating that they should not be used. It is true that views add complexity to a BIND configuration, but this article will explain how that complexity can be managed and allow views to be used effectively.…

23 Automatic DNSSEC Zone Signing Key rollover explained

This article is derived from a Blog post on our website that introduced the 9.7.2 changes in automatic in-server key rollover. BIND 9.7.0 introduced automatic in-server signature re-freshing and automatic key rollover. This allows BIND, if provided with the…

24 Automatic empty zones (including RFC 1918 prefixes)

BIND provides a number of empty zones that are automatically configured and loaded (for each view) when named starts. The purpose of these zones is to prevent recursive servers from sending meaningless queries to Internet servers that cannot handle them (thus…

25 Using BIND's XML statistics-channels

In addition to the output from rndc stats, BIND can be monitored (and in more detail) via its XML-based statistics channels. To use this functionality BIND needs to be built with libxml2. All current distributions of BIND for Windows available from the ISC…

26 Tuning your BIND configuration effectively for zone transfers (particularly with many frequently-updated zones)

Zone transfers - AXFR and IXFR When a master nameserver is updated (irrespective of the mechanism through which this happens), the working contents of the zone held in memory that have changed need to be transferred to the other servers that are authoritative…

27 Adding DKIM Records with BIND9

DKIM -- short for "DomainKeys Identified Mail" -- is a mechanism that provides integrity controls over parts of an email transmission. More information about the protocol can be found at http://www.dkim.org/ as this article will deal only with the required…

28 Using Access Control Lists (ACLs) with both addresses and keys

Question: How can I configure allow-update to permit updates, only if BOTH of the following are true: They hold the secret key (TSIG) They're in the 'permitted' subnet Answer: Here's the long version: acl address_allow { 10/8; }; acl address_reject { !address_allow;…

29 In-line Signing With NSEC3 in BIND 9.9+ -- A Walk-through

Introduction As of version 9.9, the BIND package supports three different methods of signing zones. Manual signing, initiated by the name server administrator from the command line, has been supported since BIND first added support for DNSSEC. BIND 9.7 added…

30 How can I check the default option values in named.conf?

There isn't any command for bind that will list all named.conf options and their default settings, but checking the defaults can sometimes be helpful in understanding why BIND is doing something that you didn't expect it to, particularly if you've recently…