- improved sample config file (#473586)bind-9_6_0-0_4_1_b1_fc11

author: Adam Tkac <atkac@fedoraproject.org> 2008-12-01 16:01:44 +0000
committer: Adam Tkac <atkac@fedoraproject.org> 2008-12-01 16:01:44 +0000
commit: 98dc3420a0acc49cbbc30e098408b75114642501 (patch)
tree: 4c5482e5bac09e91b88a5a15a40002f464319c64
parent: f18d558f4fc71ab1bc0aa90112a9aa0232f93cbf (diff)
download: bind-98dc3420a0acc49cbbc30e098408b75114642501.tar.gz
bind-98dc3420a0acc49cbbc30e098408b75114642501.tar.xz
bind-98dc3420a0acc49cbbc30e098408b75114642501.zip
2 files changed, 141 insertions, 31 deletions
diff --git a/bind.spec b/bind.spec
index ad28439..be264de 100644
--- a/bind.spec
+++ b/bind.spec
@@ -18,7 +18,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.6.0
-Release:  0.4.%{PREVER}%{?dist}
+Release:  0.4.1.%{PREVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -600,6 +600,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %ghost %{chroot_prefix}/etc/localtime
 
 %changelog
+* Mon Dec 01 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.4.1.b1
+- improved sample config file (#473586)
+
 * Wed Nov 26 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.4.b1
 - reverted previous change, koji doesn't like it
 
diff --git a/named.conf.sample b/named.conf.sample
index c3d1acf..d02efc4 100644
--- a/named.conf.sample
+++ b/named.conf.sample
@@ -1,21 +1,64 @@
-//
-// Sample named.conf BIND DNS server 'named' configuration file
-// for the Red Hat BIND distribution.
-//
-// See the BIND Administrator's Reference Manual (ARM) for details, in:
-//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
-// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and 
-// its manual.
-//
+/*
+ Sample named.conf BIND DNS server 'named' configuration file
+ for the Red Hat BIND distribution.
+
+ See the BIND Administrator's Reference Manual (ARM) for details, in:
+   file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
+ Also see the BIND Configuration GUI : /usr/bin/system-config-bind and 
+ its manual.
+*/
+
 options
 {
 	// Put files that named is allowed to write in the data/ directory:
-	directory "/var/named"; // the default
+	directory 		"/var/named";		// "Working" directory
 	dump-file 		"data/cache_dump.db";
         statistics-file 	"data/named_stats.txt";
         memstatistics-file 	"data/named_mem_stats.txt";
 
+
+	/*
+	  Specify listenning interfaces. You can use list of addresses (';' is
+	  delimiter) or keywords "any"/"none"
+	*/
+	//listen-on port 53	{ any; };
+	listen-on port 53	{ 127.0.0.1; };
+
+	//listen-on-v6 port 53	{ any; };
+	listen-on-v6 port 53	{ ::1; };
+
+	/*
+	  Access restrictions
+
+	  There are two important options:
+	    allow-query { argument; };
+	      - allow queries for authoritative data
+
+	    allow-query-cache { argument; };
+	      - allow queries for non-authoritative data (mostly cached data)
+
+	  You can use address, network address or keywords "any"/"localhost"/"none" as argument
+	  Examples:
+	    allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
+	    allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
+	*/
+
+	allow-query		{ localhost; };
+	allow-query-cache	{ localhost; };
+
+	// Enable/disable recursion - recursion yes/no;
+	recursion yes;
+
+	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
+
+	/* Enable serving of DNSSEC related data - enable on both authoritative
+ 	   and recursive servers DNSSEC aware servers */
+	dnssec-enable yes;
+
+	/* Enable DNSSEC validation on recursive servers */
+	dnssec-validation yes;
 };
+
 logging 
 {
 /*      If you want to enable debugging, eg. using the 'rndc trace' command,
@@ -28,18 +71,19 @@ logging
                 severity dynamic;
         };	
 };
-//
-// All BIND 9 zones are in a "view", which allow different zones to be served
-// to different types of client addresses, and for options to be set for groups
-// of zones.
-//
-// By default, if named.conf contains no "view" clauses, all zones are in the 
-// "default" view, which matches all clients.
-// 
-// If named.conf contains any "view" clause, then all zones MUST be in a view; 
-// so it is recommended to start off using views to avoid having to restructure
-// your configuration files in the future.
-//
+
+/*
+ Views let a name server answer a DNS query differently depending on who is asking.
+
+ By default, if named.conf contains no "view" clauses, all zones are in the 
+ "default" view, which matches all clients.
+
+ Views are processed sequentially. The first match is used so the last view should
+ match "any" - it's fallback and the most restricted view.
+
+ If named.conf contains any "view" clause, then all zones MUST be in a view.
+*/
+
 view "localhost_resolver"
 {
 /* This view sets up named to be a localhost resolver ( caching only nameserver ).
@@ -47,8 +91,12 @@ view "localhost_resolver"
  */
 	match-clients 		{ localhost; };
 	recursion yes;
+
 	# all views must contain the root hints zone:
-	include "/etc/named.root.hints";
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
 
         /* these are zones that contain definitions for all the localhost
          * names and addresses, as recommended in RFC1912 - these names should
@@ -63,9 +111,11 @@ view "internal"
  */
 	match-clients		{ localnets; };
 	recursion yes;
-	// all views must contain the root hints zone:
-	include "named.ca";
 
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
 
         /* these are zones that contain definitions for all the localhost
          * names and addresses, as recommended in RFC1912 - these names should
@@ -76,6 +126,19 @@ view "internal"
 	// These are your "authoritative" internal zones, and would probably
 	// also be included in the "localhost_resolver" view above :
 
+	/*
+	  NOTE for dynamic DNS zones and secondary zones:
+
+	  DO NOT USE SAME FILES IN MULTIPLE VIEWS!
+
+	  If you are using views and DDNS/secondary zones it is strongly
+	  recommended to read FAQ on ISC site (www.isc.org), section
+	  "Configuration and Setup Questions", questions
+	  "How do I share a dynamic zone between multiple views?" and
+	  "How can I make a server a slave for both an internal and an external
+	   view at the same time?"
+	*/
+
 	zone "my.internal.zone" { 
 		type master;
 		file "my.internal.zone.db";
@@ -89,29 +152,33 @@ view "internal"
 	zone "my.ddns.internal.zone" {
 		type master;
 		allow-update { key ddns_key; };
-		file "slaves/my.ddns.internal.zone.db";
+		file "dynamic/my.ddns.internal.zone.db";
 		// put dynamically updateable zones in the slaves/ directory so named can update them
 	};			
 };
+
 key ddns_key
 {
 	algorithm hmac-md5;
 	secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
 };
-view    "external"
+
+view "external"
 {
 /* This view will contain zones you want to serve only to "external" clients
  * that have addresses that are not match any above view:
  */
 	match-clients		{ any; };
 
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
+
 	recursion no;
 	// you'd probably want to deny recursion to external clients, so you don't
         // end up providing free DNS service to all takers
 
-	// all views must contain the root hints zone:
-	include "named.ca";
-
 	// These are your "authoritative" external zones, and would probably
         // contain entries for just your web and mail servers:
 
@@ -120,3 +187,43 @@ view    "external"
 		file "my.external.zone.db";
 	};
 };
+
+/* Trusted keys
+
+  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
+  have to configure at least one trusted key.
+
+  Note that no key written below is valid. Especially root key because root zone
+  is not signed yet.
+*/
+/*
+trusted-keys {
+// Root Key
+"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
+             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
+             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
+             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
+             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
+             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
+             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
+
+// Key for forward zone
+example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
+                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
+                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
+                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
+                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
+                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
+                      SCThlHf3xiYleDbt/o1OTQ09A0=";
+
+// Key for reverse zone.
+2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
+                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
+                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
+                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
+                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
+                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
+                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
+                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
+};
+*/
author	Adam Tkac <atkac@fedoraproject.org>	2008-12-01 16:01:44 +0000
committer	Adam Tkac <atkac@fedoraproject.org>	2008-12-01 16:01:44 +0000
commit	98dc3420a0acc49cbbc30e098408b75114642501 (patch)
tree	4c5482e5bac09e91b88a5a15a40002f464319c64
parent	f18d558f4fc71ab1bc0aa90112a9aa0232f93cbf (diff)
download	bind-98dc3420a0acc49cbbc30e098408b75114642501.tar.gz bind-98dc3420a0acc49cbbc30e098408b75114642501.tar.xz bind-98dc3420a0acc49cbbc30e098408b75114642501.zip