diff options
Diffstat (limited to 'contrib/bind/doc/misc/FAQ.1of2')
| -rw-r--r-- | contrib/bind/doc/misc/FAQ.1of2 | 1602 |
1 files changed, 0 insertions, 1602 deletions
diff --git a/contrib/bind/doc/misc/FAQ.1of2 b/contrib/bind/doc/misc/FAQ.1of2 deleted file mode 100644 index 99619eb37a250..0000000000000 --- a/contrib/bind/doc/misc/FAQ.1of2 +++ /dev/null @@ -1,1602 +0,0 @@ -Newsgroups: comp.protocols.tcp-ip.domains,comp.answers,news.answers -Path: vixie!news1.digital.com!su-news-hub1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!cam-news-hub1.bbnplanet.com!news.mathworks.com!news.kei.com!uhog.mit.edu!rutgers!njitgw.njit.edu!hertz.njit.edu!cdp2582 -From: cdp2582@hertz.njit.edu (Chris Peckham) -Subject: comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ) (Part 1 of 2) -Message-ID: <cptd-faq-1-849940949@njit.edu> -Followup-To: comp.protocols.tcp-ip.domains -Originator: cdp2582@hertz.njit.edu -Keywords: BIND,DOMAIN,DNS -Sender: news@njit.edu -Supersedes: <cptd-faq-1-847336183@njit.edu> -Nntp-Posting-Host: hertz.njit.edu -X-Posting-Frequency: posted during the first week of each month -Reply-To: domain-faq@njit.edu (comp.protocols.tcp-ip.domains FAQ comments) -Organization: NJIT.EDU - New Jersey Institute of Technology, Newark, NJ, USA -Date: Sat, 7 Dec 1996 06:42:36 GMT -Approved: news-answers-request@MIT.EDU -Expires: Sat 11 Jan 97 02:42:29 EDT -Lines: 1582 -Xref: vixie comp.protocols.tcp-ip.domains:12904 comp.answers:22440 news.answers:85682 - -Posted-By: auto-faq 3.1.1.2 -Archive-name: internet/tcp-ip/domains-faq/part1 -Revision: 1.14 1996/12/07 06:42:05 - - -Note that this posting has been split into two parts because of its size. - -$Id: FAQ.1of2,v 8.4 1996/12/18 04:22:33 vixie Exp $ - -A new version of this document appears monthly. If this copy is more -than a month old it may be out of date. - -This FAQ is edited and maintained by Chris Peckham, <cdp@pfmc.net>. The -most recently posted version may be found for anonymous ftp from - -rtfm.mit.edu : /pub/usenet/news.answers/internet/tcp-ip/domains-faq - -It is also available in HTML from -http://www.users.pfmc.net/~cdp/cptd-faq/. - -If you can contribute any answers for items in the TODO section, please do -so by sending e-mail to <domain-faq@pfmc.net> ! If you know of any items -that are not included and you feel that they should be, send the -relevant information to <domain-faq@pfmc.net>. - -=============================================================================== - -Index - - Section 1. TO DO / UPDATES - Q1.1 Contributions needed - Q1.2 UPDATES / Changes since last posting - - Section 2. INTRODUCTION / MISCELLANEOUS - Q2.1 What is this newsgroup ? - Q2.2 More information - Q2.3 What is BIND ? - Q2.4 What is the difference between BIND and DNS ? - Q2.5 Where is the latest version of BIND located ? - Q2.6 How can I find the path taken between two systems/domains ? - Q2.7 How do you find the hostname given the TCP-IP address ? - Q2.8 How do I register a domain ? - Q2.9 How can I change the IP address of our server ? - Q2.10 Issues when changing your domain name - Q2.11 How memory and CPU does DNS use ? - Q2.12 Other things to consider when planning your servers - Q2.13 Proper way to get NS and reverse IP records into DNS - Q2.14 How do I get my address assigned from the NIC ? - Q2.15 Is there a block of private IP addresses I can use? - Q2.16 Does BIND cache negative answers (failed DNS lookups) ? - Q2.17 What does an NS record really do ? - Q2.18 DNS ports - Q2.19 What is the cache file - Q2.20 Obtaining the latest cache file - Q2.21 Selecting a nameserver/root cache - Q2.22 InterNIC and domain names - - Section 3. UTILITIES - Q3.1 Utilities to administer DNS zone files - Q3.2 DIG - Domain Internet Groper - Q3.3 DNS packet analyser - Q3.4 host - Q3.5 How can I use DNS information in my program? - Q3.6 A source of information relating to DNS - - Section 4. DEFINITIONS - Q4.1 TCP/IP Host Naming Conventions - Q4.2 What are slaves and forwarders ? - Q4.3 When is a server authoritative? - Q4.4 My server does not consider itself authoritative ! - Q4.5 NS records don't configure servers as authoritative ? - Q4.6 underscore in host-/domainnames - Q4.7 What is lame delegation ? - Q4.8 How can I see if the server is "lame" ? - Q4.9 What does opt-class field in a zone file do? - Q4.10 Top level domains - Q4.11 Classes of networks - Q4.12 What is CIDR ? - Q4.13 What is the rule for glue ? - - Section 5. CONFIGURATION - Q5.1 Changing a Secondary server to a Primary server ? - Q5.2 Moving a Primary server to another server - Q5.3 How do I subnet a Class B Address ? - Q5.4 Subnetted domain name service - Q5.5 Recommended format/style of DNS files - Q5.6 DNS on a system not connected to the Internet - Q5.7 Multiple Domain configuration - Q5.8 wildcard MX records - Q5.9 How do you identify a wildcard MX record ? - Q5.10 Why are fully qualified domain names recommended ? - Q5.11 Distributing load using named - Q5.12 Order of returned records - Q5.13 resolv.conf - Q5.14 How do I delegate authority for sub-domains ? - Q5.15 DNS instead of NIS on a Sun OS 4.1.x system - Q5.16 Patches to add functionality to BIND - Q5.17 How to serve multiple domains from one server - - Section 6. PROBLEMS - Q6.1 No address for root server - Q6.2 Error - No Root Nameservers for Class XX - Q6.3 Bind 4.9.x and MX querying? - Q6.4 Do I need to define an A record for localhost ? - Q6.5 MX records, CNAMES and A records for MX targets - Q6.6 Can an NS record point to a CNAME ? - Q6.7 Nameserver forgets own A record - Q6.8 General problems (core dumps !) - Q6.9 malloc and DECstations - Q6.10 Can't resolve names without a "." - Q6.11 Err/TO errors being reported - Q6.12 Why does swapping kill BIND ? - - Section 7. ACKNOWLEDGEMENTS - Q7.1 How is this FAQ generated ? - Q7.2 What formats are available ? - Q7.3 Contributors - -=============================================================================== - -Section 1. TO DO / UPDATES - - Q1.1 Contributions needed - Q1.2 UPDATES / Changes since last posting - ------------------------------------------------------------------------------ - -Question 1.1. Contributions needed - -Date: Fri Dec 6 00:40:00 EST 1996 - -* Expand the slave/forward section - ------------------------------------------------------------------------------ - -Question 1.2. UPDATES / Changes since last posting - -Date: Fri Dec 6 00:40:00 EST 1996 - -* The FAQ is now maintained in BFNN (Bizzare format with No Name). This - allows me to create ASCII, HTML, and GNU info (postscript coming soon) - from one source file. -* References to 4.9.4 changed to 4.9.5. -* memory/CPU usage question - removed uunet map reference. Not there... -* Minor edits of information and questions for new format. -* How do I delegate authority for sub-domains ? - edited answer - -=============================================================================== - -Section 2. INTRODUCTION / MISCELLANEOUS - - Q2.1 What is this newsgroup ? - Q2.2 More information - Q2.3 What is BIND ? - Q2.4 What is the difference between BIND and DNS ? - Q2.5 Where is the latest version of BIND located ? - Q2.6 How can I find the path taken between two systems/domains ? - Q2.7 How do you find the hostname given the TCP-IP address ? - Q2.8 How do I register a domain ? - Q2.9 How can I change the IP address of our server ? - Q2.10 Issues when changing your domain name - Q2.11 How memory and CPU does DNS use ? - Q2.12 Other things to consider when planning your servers - Q2.13 Proper way to get NS and reverse IP records into DNS - Q2.14 How do I get my address assigned from the NIC ? - Q2.15 Is there a block of private IP addresses I can use? - Q2.16 Does BIND cache negative answers (failed DNS lookups) ? - Q2.17 What does an NS record really do ? - Q2.18 DNS ports - Q2.19 What is the cache file - Q2.20 Obtaining the latest cache file - Q2.21 Selecting a nameserver/root cache - Q2.22 InterNIC and domain names - ------------------------------------------------------------------------------ - -Question 2.1. What is this newsgroup ? - -Date: Thu Dec 1 11:08:28 EST 1994 - -comp.protocols.tcp-ip.domains is the usenet newsgroup for discussion on -issues relating to the Domain Name System (DNS). - -This newsgroup is not for issues directly relating to IP routing and -addressing. Issues of that nature should be directed towards -comp.protocols.tcp-ip. - ------------------------------------------------------------------------------ - -Question 2.2. More information - -Date: Fri Dec 6 00:41:03 EST 1996 - -You can find more information concerning DNS in the following places: - -* The BOG (BIND Operations Guide) - in the BIND distribution -* The FAQ included with BIND 4.9.5 in doc/misc/FAQ -* DNS and BIND by Albitz and Liu (an O'Reilly & Associates Nutshell - handbook) -* A number of RFCs (920, 974, 1032, 1034, 1101, 1123, 1178, 1183, 1348, - 1535, 1536, 1537, 1591, 1706, 1712, 1713, 1912, 1918) -* The DNS Resources Directory (DNSRD) http://www.dns.net/dnsrd/ -* If you are having troubles relating to sendmail and DNS, you may wish to - refer to the USEnet newsgroup comp.mail.sendmail and/or the FAQ for that - newsgroup which may be found for anonymous ftp at rtfm.mit.edu : - /pub/usenet/news.answers/mail/sendmail-faq -* Information concerning some frequently asked questions relating to the - Internet (i.e., what is the InterNIC, what is an RFC, what is the IETF, - etc) may be found for anonymous ftp from ds.internic.net : /fyi/fyi4.txt - A version may also be obtained with the URL - gopher://ds.internic.net/00/fyi/fyi4.txt. -* Information on performing an initial installation of BIND may be found - using the DNS Resources Directory at - http://www.dns.net/dnsrd/docs/basic.txt -* Three other USEnet newsgroups: - - * comp.protocols.dns.bind - * comp.protocols.dns.ops - * comp.protocols.dns.std - ------------------------------------------------------------------------------ - -Question 2.3. What is BIND ? - -Date: Tue Sep 10 23:15:58 EDT 1996 - -From the BOG Introduction - - -The Berkeley Internet Name Domain (BIND) implements an Internet name -server for the BSD operating system. The BIND consists of a server (or -``daemon'') and a resolver library. A name server is a network -service that enables clients to name resources or objects and share this -information with other objects in the network. This in effect is a -distributed data base system for objects in a computer network. BIND -is fully integrated into BSD (4.3 and later releases) network programs -for use in storing and retrieving host names and address. The system -administrator can configure the system to use BIND as a replacement to -the older host table lookup of information in the network hosts file -/etc/hosts. The default configuration for BSD uses BIND. - ------------------------------------------------------------------------------ - -Question 2.4. What is the difference between BIND and DNS ? - -Date: Tue Sep 10 23:15:58 EDT 1996 - -(text provided by Andras Salamon) DNS is the Domain Name System, a set of -protocols for a distributed database that was originally designed to -replace /etc/hosts files. DNS is most commonly used by applications to -translate domain names of hosts to IP addresses. A client of the DNS is -called a resolver; resolvers are typically located in the application -layer of the networking software of each TCP/IP capable machine. Users -typically do not interact directly with the resolver. Resolvers query the -DNS by directing queries at name servers that contain parts of the -distributed database that is accessed by using the DNS protocols. In -common usage, `the DNS' usually refers just to the data in the database. - -BIND (Berkeley Internet Name Domain) is an implementation of DNS, both -server and client. Development of BIND is funded by the Internet Software -Consortium and is coordinated by Paul Vixie. BIND has been ported to -Windows NT and VMS, but is most often found on Unix. BIND source code is -freely available and very complex; most of the development on the DNS -protocols is based on this code; and most Unix vendors ship BIND-derived -DNS implementations. As a result, the BIND name server is the most widely -used name server on the Internet. In common usage, `BIND' usually refers -to the name server that is part of the BIND distribution, and sometimes to -name servers in general (whether BIND-derived or not). - ------------------------------------------------------------------------------ - -Question 2.5. Where is the latest version of BIND located ? - -Fri Dec 6 00:23:19 EST 1996 - -This information may be found at http://www.vix.com/isc/bind.html - -At this time, BIND version of 4.9.5 may be found for anonymous ftp from - -ftp.vix.com : /pub/bind/release/4.9.5/bind-4.9.5-REL.tar.gz - -Other sites that officially mirror the BIND distribution are - -* bind.fit.qut.edu.au : /pub/bind -* ftp.funet.fi : /pub/unix/tcpip/dns/bind -* ftp.univ-lyon1.fr : /pub/mirrors/unix/bind -* ftp.oleane.net : /pub/mirrors/unix/bind -* ftp.ucr.ac.cr : /pub/Unix/dns/bind -* ftp.luth.se : /pub/unix/dns/bind/beta - -You may need GNU zip, Larry Wall's patch program (if there are any patch -files), and a C compiler to get BIND running from the above mentioned -source. - -GNU zip is available for anonymous ftp from - -prep.ai.mit.edu : /pub/gnu/gzip-1.2.4.tar - -patch is available for anonymous ftp from - -prep.ai.mit.edu : /pub/gnu/patch-2.1.tar.gz - -A version of BIND for Windows NT is available for anonymous ftp from - -ftp.vix.com : /pub/bind/release/4.9.5/contrib/ntdns495relbin.zip - -and - -ftp.vix.com : /pub/bind/release/4.9.5/contrib/ntbind495rel.zip - ------------------------------------------------------------------------------ - -Question 2.6. How can I find the path taken between two systems/domains ? - -Date: Fri Dec 6 00:10:31 EST 1996 - -On a Unix system, use traceroute. If it is not available to you, you may -obtain the source source for 'traceroute', compile it and install it on -your system. - -One version of this program with additional functionality may be found for -anonymous ftp from - -ftp.nikhef.nl : /pub/network/traceroute.tar.Z - -Another version may be found for anonymous ftp from - -ftp.psc.edu : /pub/net_tools/traceroute.tar - ------------------------------------------------------------------------------ - -Question 2.7. How do you find the hostname given the TCP-IP address ? - -Date: Thu Dec 1 09:55:24 EST 1994 - -For an address a.b.c.d you can always do: - - % nslookup - > set q=ptr - > d.c.b.a.in-addr.arpa. - -Most newer version of nslookup (since 4.8.3) will recognize an address, so -you can just say: - - % nslookup a.b.c.d - -DiG will work like this also: - - % dig -x a.b.c.d - -host from the contrib/host from the bind distribution may also be used. - ------------------------------------------------------------------------------ - -Question 2.8. How do I register a domain ? - -Date: Wed Sep 4 23:59:42 EDT 1996 - -You can talk to your Internet Service Provider (ISP). They can submit the -registration for you. If you are not going to be directly connected, they -should be able to offer MX records for your domain for mail delivery (so -that mail sent to the new domain will be sent to your "standard" account). -In the case where the registration is done by the organization itself, it -still makes the whole process much easier if the ISP is approached for -secondary servers _before_ the InterNIC is approached for registration. - -For information about making the registration yourself, look to the -InterNIC (or other similar organization). - -* anonymout ftp from internic.net : /templates -* gopher://rs.internic.net/ -* http://rs.internic.net/reg/reg-forms.html -* http://www.ripe.net/ - -You will need at least two domain name servers when you register your -domain. Many ISP's are willing to provide primary and/or secondary name -service for their customers. - -Please note that the InterNIC is now charging a fee for domain names in -the "COM", "ORG", and "NET". More information may be found from the -Internic at - -http://rs.internic.net/domain-info/fee-policy.html - -Many times, registration of a domain name can be initiated by sending -e-mail to the zone contact. You can obtain the contact in the SOA record -for the country, or in a whois server: - - $ nslookup -type=SOA fr. - origin = ns1.nic.fr - mail addr = nic.nic.fr - ... - -The mail address to contact in this case is 'nic@nic.fr' (you must -substitute an '@' for the first dot in the mail addr field). - -An alternate method to obtain the e-mail address of the national NIC is -the 'whois' server at InterNIC. - -You may be requested to make your request to another email address or -using a certain information template/application. - ------------------------------------------------------------------------------ - -Question 2.9. How can I change the IP address of our server ? - -Date: Sun May 5 22:46:28 EDT 1996 - -(From Mark Andrews) Before the move. - -* Ensure you are running a modern nameserver. BIND 4.9.3-REL + Patch1 is a - good choice. -* Inform all your secondaries that you are going to change. Have them - install both the current and new addresses in their named.boot's. -* Drop the ttl of the A's associated with the nameserver to something - small (5 min is usually good). -* Drop the refesh and retry times of the zone containing the forward - records for the server. -* Configure the new reverse zone before the move and make sure it is - operational. -* On the day of the move add the new A record(s) for the server. Don't - forget to have these added to parent domains. You will look like you are - multihomed with one interface dead. - -Move the machine after gracefully terminating any other services it is -offering. Then, - -* Fixup the A's, ttl, refresh and retry counters. (If you are running an - all server EDIT out all references to the old addresses in the cache - files). -* Inform all the secondaries the move is complete. -* Inform the parents of all zones you are primary of the new NS/A pairs - for the relevent zones. -* Inform all the administators of zones you are secondaring that the - machine has moved. -* For good measure update the serial no for all zones you are primary for. - This will flush out old A's. - ------------------------------------------------------------------------------ - -Question 2.10. Issues when changing your domain name - -Date: Sun Nov 27 23:32:41 EST 1994 - -If you are changing your domain name from abc.foobar.com to foobar.net, -the forward zones are easy and there are a number of ways to do it. One -way is the following: - -Have a single db file for the 2 domains, and have a single machine be the -primary server for both abc.foobar.com and foobar.net. - -To resolve the host foo in both domains, use a single zone file which -merely uses this for the host: - -foo IN A 1.2.3.4 - -Use a "@" wherever the domain would be used ie for the SOA: - -@ IN SOA (... - -Then use this pair of lines in your named.boot: - -primary abc.foobar.com db.foobar -primary foobar.net db.foobar - -The reverse zones should either contain PTRs to both names, or to -whichever name you believe to be canonical currently. - ------------------------------------------------------------------------------ - -Question 2.11. How memory and CPU does DNS use ? - -Date: Fri Dec 6 01:07:56 EST 1996 - -It can use quite a bit ! The main thing that BIND needs is memory. It -uses very little CPU or network bandwidth. The main considerations to -keep in mind when planning are: - -* How many zones do you have and how large are they ? -* How many clients do you expect to serve and how active are they ? - -As an example, here is a snapshot of memory usage from CSIRO Division of -Mathematics and Statistics, Australia - - Named takes several days to stabalize its memory usage. - - Our main server stabalises at ~10Mb. It takes about 3 days to - reach this size from 6 M at startup. This is under Sun OS 4.1.3U1. - -As another example, here is the configuration of ns.uu.net (from late -1994): - - ns.uu.net only does nameservice. It is running a version of BIND - 4.9.3 on a Sun Classic with 96 MB of RAM, 220 MB of swap (remember - that Sun OS will reserve swap for each fork, even if it is not needed) - running Sun OS 4.1.3_U1. - - Joseph Malcolm, of Alternet, states that named generally hovers at - 5-10% of the CPU, except after a reload, when it eats it all. - ------------------------------------------------------------------------------ - -Question 2.12. Other things to consider when planning your servers - -Date: Mon Jan 2 14:24:51 EST 1995 - -When making the plans to set up your servers, you may want to also -consider the following issues: - - A) Server O/S limitations/capacities (which tend to be widely - divergent from vendor to vendor) - B) Client resolver behavior (even more widely divergent) - C) Expected query response time - D) Redundancy - E) Desired speed of change propagation - F) Network bandwidth availability - G) Number of zones/subdomain-levels desired - H) Richness of data stored (redundant MX records? HINFO records?) - I) Ease of administration desired - J) Network topology (impacts reverse-zone volume) - - Assuming a best-possible case for the factors above, particularly (A), (B), - (C), (F), (G) & (H), it would be possible to run a 1000-node domain - using a single lowly 25 or 40 MHz 386 PC with a fairly modest amount of RAM - by today's standards, e.g. 4 or 8 Meg. However, this configuration would - be slow, unreliable, and would provide no functionality beyond your basic - address-to-name and name-to-address mappings. - - Beyond that baseline case, depending on what factors listed above, - you may want look at other strategies, such splitting up the DNS - traffic among several machines strategically located, possibly larger ones, - and/or subdividing your domain itself. There are many options, tradeoffs, - and DNS architectural paradigms from which to choose. ------------------------------------------------------------------------------ - -Question 2.13. Proper way to get NS and reverse IP records into DNS - -Date: Mon Jan 2 13:03:53 EST 1995 - -Reverse domain registration is separate from forward domain registration. -Blocks of network addresses have been delegated by the InterNIC. Check if -your network a.b.c.0 is in such a block by using nslookup: - - nslookup -type=soa c.b.a.in-addr.arpa. - nslookup -type=soa b.a.in-addr.arpa. - nslookup -type=soa a.in-addr.arpa. - -One of the above should give you the information you are looking for (the -others will return with an error something like `*** No start of authority -(SOA) records available for ...') This will give you the email address of -the person to whom you should address your change request. - -If none of these works, your network probably has not been delegated by -the InterNIC and you need to contact them directly. - -CIDR has meant that the registration is delegated, but registration of -in-addr.arpa has always been separate from forward zones - and for good -reason - in that the forward and reverse zones may have different -policies, contents etc, may be served by a different set of nameservers, -and exist at different times (usually only at point of creation). There -isn't a one-to-one mapping between the two, so merging the registration -would probably cause more problems than people forgetting/not-knowing that -they had to register in-addr.arpa zones separately. For example, there -are organizations that have hundreds of networks and two or more domains, -with a sprinkling of machines from each network in each of the domains. - ------------------------------------------------------------------------------ - -Question 2.14. How do I get my address assigned from the NIC ? - -Date: Fri Dec 6 01:11:34 EST 1996 - -You should probably ask your Internet provider to give you an address. -These days, addresses are being distributed through the providers, so that -they can assign adjacent blocks of addresses to sites that go through the -same provider, to permit more efficient routing on the backbones. - -Unless you have thousands of hosts, you probably won't be able to get a -class B these days. Instead, you can get a series of class C networks. -Large requests will be queried, so be ready to provide a network plan if -you ask for more than 16 class C networks. - -If you can't do this through your Internet provider, you can look for a -subnet registration form on rs.internic.net. See the answer in this FAQ -to the question "How do I register a domain" for a URL to these forms. - ------------------------------------------------------------------------------ - -Question 2.15. Is there a block of private IP addresses I can use? - -Date: Sun May 5 23:02:49 EDT 1996 - -Yes there is. Please refer to RFC 1918: - - 1918 Address Allocation for Private Internets. Y. Rekhter, B. - Moskowitz, D. Karrenberg, G. de Groot, & E. Lear. February 1996. - (Format: TXT=22270 bytes) - -RFC 1918 documents the allocation of the following addresses for use by -``private internets'': - - 10.0.0.0 - 10.255.255.255 - 172.16.0.0 - 172.31.255.255 - 192.168.0.0 - 192.168.255.255 - ------------------------------------------------------------------------------ - -Question 2.16. Does BIND cache negative answers (failed DNS lookups) ? - -Date: Mon Jan 2 13:55:50 EST 1995 - -Yes, BIND 4.9.3 and more recent versions will cache negative answers. - ------------------------------------------------------------------------------ - -Question 2.17. What does an NS record really do ? - -Date: Wed Sep 4 22:52:18 EDT 1996 - -The NS records in your zone data file pointing to the zone's name servers -(as opposed to the servers of delegated subdomains) don't do much. -They're essentially unused, though they are returned in the authority -section of reply packets from your name servers. - -However, the NS records in the zone file of the parent domain are used to -find the right servers to query for the zone in question. These records -are more important than the records in the zone itself. - ------------------------------------------------------------------------------ - -Question 2.18. DNS ports - -Date: Fri Feb 10 15:40:10 EST 1995 - -The following table shows what TCP/UDP ports DNS uses to send and receive -queries: - - Prot Src Dst Use - udp 53 53 Queries between servers (eg, recursive queries) - Replies to above - tcp 53 53 Queries with long replies between servers, zone - transfers Replies to above - udp >1023 53 Client queries (sendmail, nslookup, etc ...) - udp 53 >1023 Replies to above - tcp >1023 53 Client queries with long replies - tcp 53 >1023 Replies to above - - Note: >1023 is for non-priv ports on Un*x clients. On other client - types, the limit may be more or less. - -Another point to keep in mind when designing filters for DNS is that a DNS -server uses port 53 both as the source and destination for it's queries. -So, a client queries an initial server from an unreserved port number to -UDP port 53. If the server needs to query another server to get the -required info, it sends a UDP query to that server with both source and -destination ports set to 53. The response is then sent with the same -src=53 dest=53 to the first server which then responds to the original -client from port 53 to the original source port number. - -The point of all this is that putting in filters to only allow UDP between -a high port and port 53 will not work correctly, you must also allow the -port 53 to port 53 UDP to get through. - -Also, ALL versions of BIND use TCP for queries in some cases. The -original query is tried using UDP. If the response is longer than the -allocated buffer, the resolver will retry the query using a TCP -connection. If you block access to TCP port 53 as suggested above, you -may find that some things don't work. - -Newer version of BIND allow you to configure a list of IP addresses from -which to allow zone transfers. This mechanism can be used to prevent -people from outside downloading your entire namespace. - ------------------------------------------------------------------------------ - -Question 2.19. What is the cache file - -Date: Fri Dec 6 01:15:22 EST 1996 - -From the "Name Server Operations Guide" - - 6.3. Cache Initialization - - 6.3.1. root.cache - - The name server needs to know the servers that - are the authoritative name servers for the root - domain of the network. To do this we have to prime - the name server's cache with the addresses of these - higher authorities. The location of this file is - specified in the boot file. ... - ------------------------------------------------------------------------------ - -Question 2.20. Obtaining the latest cache file - -Date: Fri Dec 6 01:15:22 EST 1996 - -If you have a version of dig running, you may obtain the information with -the command - - dig @a.root-servers.net. . ns - -A perl script to handle some possible problems when using this method -from behind a firewall and that can also be used to periodically obtain -the latest cache file was posted to comp.protocols.tcp-ip.domains during -early October, 1996. It was posted with the subject "Keeping db.cache -current". It is available at -http://www.users.pfmc.net/~cdp/cptd-faq/current_db_cache.txt. - -The latest cache file may also be obtained from the InterNIC via ftp or -gopher: - - ; This file is made available by InterNIC registration services - ; under anonymous FTP as - ; file /domain/named.root - ; on server FTP.RS.INTERNIC.NET - ; -OR- under Gopher at RS.INTERNIC.NET - ; under menu InterNIC Registration Services (NSI) - ; submenu InterNIC Registration Archives - ; file named.root - ------------------------------------------------------------------------------ - -Question 2.21. Selecting a nameserver/root cache - -Date: Mon Aug 5 22:54:11 EDT 1996 - -Exactly how is the a root server selected from the root cache? Does the -resolver attempt to pick the closest host or is it random or is it via -sortlist-type workings? If the root server selected is not available (for -whatever reason), will the the query fail instead of attempting another -root server in the list ? - -Every recursive BIND name server (that is, one which is willing to go out -and find something for you if you ask it something it doesn't know) will -remember the measured round trip time to each server it sends queries to. -If it has a choice of several servers for some domain (like "." for -example) it will use the one whose measured RTT is lowest. - -Since the measured RTT of all NS RRs starts at zero (0), every one gets -tried one time. Once all have responded, all RTT's will be nonzero, and -the "fastest server" will get all queries henceforth, until it slows down -for some reason. - -To promote dispersion and good recordkeeping, BIND will penalize the RTT -by a little bit each time a server is reused, and it will penalize the RTT -a _lot_ if it ever has to retransmit a query. For a server to stay "#1", -it has to keep on answering quickly and consistently. - -Note that this is something BIND does that the DNS Specification does not -mention at all. So other servers, those not based on BIND, might behave -very differently. - ------------------------------------------------------------------------------ - -Question 2.22. InterNIC and domain names - -Date: Sun Jun 2 11:23:49 EDT 1996 - -The current InterNIC policy on what to do if someone wants to use a domain -name that is already in use may be found at - -rs.internic.net : /policy/internic/internic-domain-4.txt - -or - -http://rs.internic.net/domain-info/internic-domain-4.html. - -The following information was submitted by Carl Oppedahl -<oppedahl@patents.com> : - -If the jealous party happens to have a trademark registration, it is quite -likely that the domain name owner will lose the domain name, even if they -aren't infringing the trademark. This presents a substantial risk of loss -of a domain name on only 30 days' notice. Anyone who is the manager of an -Internet-connected site should be aware of this risk and should plan for -it. - -See "How do I protect myself from loss of my domain name?" at -http://www.patents.com/weblaw.sht#domloss. - -For an example of an ISP's battle to keep its domain name, see -http://www.patents.com/nsi.sht. - -A compendium of information on the subject may be found at -http://www.law.georgetown.edu/lc/internic/domain1.html. - -=============================================================================== - -Section 3. UTILITIES - - Q3.1 Utilities to administer DNS zone files - Q3.2 DIG - Domain Internet Groper - Q3.3 DNS packet analyser - Q3.4 host - Q3.5 How can I use DNS information in my program? - Q3.6 A source of information relating to DNS - ------------------------------------------------------------------------------ - -Question 3.1. Utilities to administer DNS zone files - -Date: Wed Sep 4 22:53:53 EDT 1996 - -There are a few utilities available to ease the administration of zone -files in the DNS. - -Two common ones are h2n and makezones. Both are perl scripts. h2n is -used to convert host tables into zone data files. It is available for -anonymous ftp from - -ftp.uu.net : /published/oreilly/nutshell/dnsbind/dns.tar.Z - -makezones works from a single file that looks like a forward zone file, -with some additional syntax for special cases. It is included in the -current BIND distribution. The newest version is always available for -anonymous ftp from - -ftp.cus.cam.ac.uk : /pub/software/programs/DNS/makezones - -More information may be found using the DNS Resources Directory - -http://www.dns.net/dnsrd/. - ------------------------------------------------------------------------------ - -Question 3.2. DIG - Domain Internet Groper - -Date: Thu Dec 1 11:09:11 EST 1994 - -The latest and greatest, official, accept-no-substitutes version of the -Domain Internet Groper (DiG) is the one that comes with BIND. Get the -latest kit. - ------------------------------------------------------------------------------ - -Question 3.3. DNS packet analyser - -Date: Wed Sep 4 23:43:57 EDT 1996 - -There is a free ethernet analyser called Ethload available for PC's -running DOS. The latest filename is ETHLD104.ZIP. It understands lots of -protocols including TCP/UDP. It'll look inside there and display -DNS/BOOTP/ICMP packets etc. (Ed. note: something nice for someone to add -to tcpdump ;^) ). Depending on the ethernet controller it's given it'll -perform slightly differently. It handles NDIS/Novell/Packet drivers. It -works best with Novell's promiscuous mode drivers. A SimTel mirror site -should have the program available for anonymous ftp. One is - -ftp.coast.net : /SimTel/msdos/lan/ethld104.zip - ------------------------------------------------------------------------------ - -Question 3.4. host - -Date: Sun Dec 4 21:15:38 EST 1994 - -A section from the host man page: - - host looks for information about Internet hosts and domain - names. It gets this information from a set of intercon- - nected servers that are spread across the world. The infor- - mation is stored in the form of "resource records" belonging - to hierarchically organized "zones". - - By default, the program simply converts between host names - and Internet addresses. However, with the -t, -a and -v - options, it can be used to find all of the information about - domain names that is maintained by the domain nameserver - system. The information printed consists of various fields - of the associated resource records that were retrieved. - - The arguments can be either host names (domain names) or - numeric Internet addresses. - -'host' is compatible with both BIND 4.9 and BIND 4.8 - -'host' may be found in contrib/host in the BIND distribution. The latest -version always available for anonymous ftp from - -ftp.nikhef.nl : /pub/network/host.tar.Z - -It may also be found for anonymous ftp from - -ftp.uu.net : /networking/ip/dns/host.tar.Z - ------------------------------------------------------------------------------ - -Question 3.5. How can I use DNS information in my program? - -Date: Fri Feb 10 15:25:11 EST 1995 - -It depends on precisely what you want to do: - -* Consider whether you need to write a program at all. It may well be - easier to write a shell program (e.g. using awk or perl) to parse the - output of dig, host or nslookup. -* If all you need is names and addresses, there will probably be system - routines 'gethostbyname' and 'gethostbyaddr' to provide this - information. -* If you need more details, then there are system routines (res_query and - res_search) to assist with making and sending DNS queries. However, - these do not include a routine to parse the resulting answer (although - routines to assist in this task are provided). There is a separate - library available that will take a DNS response and unpick it into its - constituent parts, returning a C structure that can be used by the - program. The source for this library is available for anonymous ftp at - - hpux.csc.liv.ac.uk : /hpux/Networking/Admin/resparse-1.2 - ------------------------------------------------------------------------------ - -Question 3.6. A source of information relating to DNS - -Date: Tue Nov 5 23:42:21 EST 1996 - -You may find utilities and tools to help you manage your zone files -(including WWW front-ends) in the "tools" section of the DNS resources -directory: - -http://www.dns.net/dnsrd/tools.html - -There are also a number of IP management tools available. Data -Communications had an article on the subject in Sept/Oct of 1996. The -tools mentioned in the article and a few others may be found at the -following sites: - -* IP Address management, http://www.accugraph.com -* IP-Track, http://www.on.com -* NetID, http://www.isotro.com -* QIP, http://www.quadritek.com -* UName-It, http://www.esm.com - -=============================================================================== - -Section 4. DEFINITIONS - - Q4.1 TCP/IP Host Naming Conventions - Q4.2 What are slaves and forwarders ? - Q4.3 When is a server authoritative? - Q4.4 My server does not consider itself authoritative ! - Q4.5 NS records don't configure servers as authoritative ? - Q4.6 underscore in host-/domainnames - Q4.7 What is lame delegation ? - Q4.8 How can I see if the server is "lame" ? - Q4.9 What does opt-class field in a zone file do? - Q4.10 Top level domains - Q4.11 Classes of networks - Q4.12 What is CIDR ? - Q4.13 What is the rule for glue ? - ------------------------------------------------------------------------------ - -Question 4.1. TCP/IP Host Naming Conventions - -Date: Mon Aug 5 22:49:46 EDT 1996 - -One guide that may be used when naming hosts is RFC 1178, "Choosing a Name -for Your Computer", which is available via anonymous FTP from - -ftp.internic.net : /rfc/rfc1178.txt - -RFCs (Request For Comments) are specifications and guidelines for how many -aspects of TCP/IP and the Internet (should) work. Most RFCs are fairly -technical documents, and some have semantics that are hotly contested in -the newsgroups. But a few, like RFC 1178, are actually good to read for -someone who's just starting along a TCP/IP path. - ------------------------------------------------------------------------------ - -Question 4.2. What are slaves and forwarders ? - -Date: Thu Dec 1 10:32:43 EST 1994 - -"forwarders" is a list of NS records that are _prepended_ to a list of NS -records to query if the data is not available locally. This allows a rich -cache of records to be built up at a centralized location. This is good -for sites that have sporadic or very slow connections to the Internet. -(demand dial-up, for example) It's also just a good idea for very large -distributed sites to increase the chance that you don't have to go off to -the Internet to get an IP address. (sometimes for addresses across the -street!) - -"slave" modifies this to say to replace the list of NS records with the -forwarders entry, instead of prepending to it. This is for firewalled -environments, where the nameserver can't directly get out to the Internet -at all. - -"slave" is meaningless (and invalid, in late-model BINDs) without -"forwarders". "forwarders" is an entry in named.boot, and therefore -applies only to the nameserver (not to resolvers). - ------------------------------------------------------------------------------ - -Question 4.3. When is a server authoritative? - -Date: Mon Jan 2 13:15:13 EST 1995 - -In the case of BIND: - -* The server contains current data in files for the zone in question (Data - must be current for secondaries, as defined in the SOA) -* The server is told that it is authoritative for the zone, by a 'primary' - or 'secondary' keyword in /etc/named.boot. -* The server does an error-free load of the zone. - ------------------------------------------------------------------------------ - -Question 4.4. My server does not consider itself authoritative ! - -Date: Mon Jan 2 13:15:13 EST 1995 - -The question was: - - What if I have set up a DNS where there is an SOA record for - the domain, but the server still does not consider itself - authoritative. (when using nslookup and set server=the correct machine.) - It seems that something is not matching up somewhere. I suspect - that this is because the service provider has not given us control - over the IP numbers in our own domain, and so while the machine listed - has an A record for an address, there is no corresponding PTR record. -With the answer: - - That's possible too, but is unrelated to the first question. - You need to be delegated a zone before outside people will start - talking to your server. However, a server can still be authoritative - for a zone even though it hasn't been delegated authority (it's just - that only the people who use that as their server will see the data). - - A server may consider itself non-authoritative even though it's a - primary if there is a syntax error in the zone (see the list in the - previous question). ------------------------------------------------------------------------------ - -Question 4.5. NS records don't configure servers as authoritative ? - -Date: Fri Dec 6 16:13:34 EST 1996 - -Nope, delegation is a separate issue from authoritativeness. You can -still be authoritative, but not delegated. (you can also be delegated, -but not authoritative -- that's a "lame delegation") - ------------------------------------------------------------------------------ - -Question 4.6. underscore in host-/domainnames - -Date: Mon Aug 5 22:39:02 EDT 1996 - -The question is "Are underscores are allowed in host- or domainnames" ? - RFC 1033 allows them. - RFC 1035 doesn't. - RFC 1123 doesn't. - dnswalk complains about them. - - -Which RFC is the final authority these days? - -Actually RFC 1035 deals with names of machines or names of mail domains. -i.e "_" is not permitted in a hostname or on the RHS of the "@" in -local@domain. - -Underscore is permitted where ever the domain is NOT one of these types -of addresses. - -In general the DNS mostly contains hostnames and mail domainnames. This -will change as new resource record types for authenticating DNS queries -start to appear. - -The latest version of 'host' checks for illegal characters in A/MX record -names and the NS/MX target names. - -After saying all of that, remember that RFC 1123 is a Required Internet -Standard (per RFC 1720), and RFC 1033 isn't. Even RFC 1035 isn't a -required standard. Therefore, RFC 1123 wins, no contest. - -From RFC 1123, Section 2.1 - - 2.1 Host Names and Numbers - - The syntax of a legal Internet host name was specified in RFC-952 - [DNS:4]. One aspect of host name syntax is hereby changed: the - restriction on the first character is relaxed to allow either a - letter or a digit. Host software MUST support this more liberal - syntax. - - And described by Dave Barr in RFC1912: - - Allowable characters in a label for a host name are only ASCII - letters, digits, and the `-' character. Labels may not be all - numbers, but may have a leading digit (e.g., 3com.com). Labels must - end and begin only with a letter or digit. See [RFC 1035] and [RFC - 1123]. (Labels were initially restricted in [RFC 1035] to start with - a letter, and some older hosts still reportedly have problems with - the relaxation in [RFC 1123].) Note there are some Internet - hostnames which violate this rule (411.org, 1776.com). - -Finally, one more piece of information (From Paul Vixie): - - RFC 1034 says only that domain names have characters in them, though it - says so with enough fancy and indirection that it's hard to tell exactly. - - Generally, for second level domains (i.e., something you would get from - InterNIC or from the US Domain Registrar and probably other ISO 3166 - country code TLDs), RFC 952 is thought to apply. RFC 952 was about host - names rather than domain names, but the rules seemed good enough. - - <domainname> ::= <hname> - - <hname> ::= <name>*["."<name>] - <name> ::= <let>[*[<let-or-digit-or-hyphen>]<let-or-digit>] - -There has been a recent update on this subject which may be found in - -ftp.internic.net : /internet-drafts/draft-andrews-dns-hostnames-03.txt. - ------------------------------------------------------------------------------ - -Question 4.7. What is lame delegation ? - -Date: Mon Aug 5 22:45:02 EDT 1996 - -Two things are required for a lame delegation: - -* A nameserver X is delegated as authoritative for a zone. -* Nameserver X is not performing nameservice for that zone. - -Try to think of a lame delegation as a long-term condition, brought about -by a misconfiguration somewhere. Bryan Beecher's 1992 LISA paper on lame -delegations is good to read on this. The problem really lies in -misconfigured nameservers, not "lameness" brought about by transient -outages. The latter is common on the Internet and hard to avoid, while -the former is correctable. - -In order to be performing nameservice for a zone, it must have (presumed -correct) data for that zone, and it must be answering authoritatively to -resolver queries for that zone. (The AA bit is set in the flags section) - -The "classic" lame delegation case is when nameserver X is delegated as -authoritative for domain Y, yet when you ask Y about X, it returns -non-authoritative data. - -Here's an example that shows what happens most often (using dig, dnswalk, -and doc to find). - -Let's say the domain bogus.com gets registered at the NIC and they have -listed 2 primary name servers, both from their *upstream* provider: - - bogus.com IN NS ns.bogus.com - bogus.com IN NS upstream.com - bogus.com IN NS upstream1.com - -So the root servers have this info. But when the admins at bogus.com -actually set up their zone files they put something like: - - bogus.com IN NS upstream.com - bogus.com IN NS upstream1.com - -So your name server may have the nameserver info cached (which it may have -gotten from the root). The root says "go ask ns.bogus.com" since they are -authoritative - -This is usually from stuff being registered at the NIC (either nic.ddn.mil -or rs.internic.net), and then updated later, but the folks who make the -updates later never let the folks at the NIC know about it. - ------------------------------------------------------------------------------ - -Question 4.8. How can I see if the server is "lame" ? - -Date: Mon Aug 5 22:45:02 EDT 1996 - -Go to the authoritative servers one level up, and ask them who they think -is authoritative, and then go ask each one of those delegees if they think -that they themselves are authoritative. If any responds "no", then you -know who the lame delegation is, and who is delegating lamely to them. -You can then send off a message to the administrators of the level above. - -The 'lamers' script from Byran Beecher really takes care of all this for -you. It parses the lame delegation notices from BIND's syslog and -summarizes them for you. It may be found in the contrib section of the -latest BIND distribution. The latest version is available for anonymous -ftp from - -terminator.cc.umich.edu : /dns/lame-delegations/ - - If you want to actively check for lame delegations, you can use 'doc' -and 'dnswalk'. You can check things manually with 'dig'. - -The InterNIC recently announced a new lame delegation that will be in -effect on 01 October, 1996. Here is a summary: - -* After receipt/processing of a name registration template, and at random - intervals thereafter, the InterNIC will perform a DNS query via UDP - Port 53 on domain names for an SOA response for the name being - registered. -* If the query of the domain name returns a non-authoritative response - from all the listed name servers, the query will be repeated four times - over the next 30 days at random intervals approximately 7 days apart, - with notification to all listed whois and nameserver contacts of the - possible pending deletion. If at least one server answers correctly, - but one or more are lame, FYI notifications will be sent to all contacts - and checking will be discontinued. Additionally, e-mail notices will be - provided to the contact for the name servers holding the delegation to - alert them to the "lame" condition. Notifications will state explicitly - the consequences of not correcting the "lame" condition and will be - assigned a descriptive subject as follows: - - Subject: Lame Delegation Notice: DOMAIN_NAME - - The notification will include a timestamp for when the query was - performed. -* If, following 30 days, the name servers still provide no SOA response, - the name will be placed in a "hold" status and the DNS information will - no longer be propagated. The administrative contact will be notified by - postal mail and all whois contacts will be notified by e-mail, with - instructions for taking corrective action. -* Following 60 days in a "hold" status, the name will be deleted and made - available for reregistration. Notification of the final deletion will - be sent to the name server and domain name contacts listed in the NIC - database. - ------------------------------------------------------------------------------ - -Question 4.9. What does opt-class field in a zone file do? - -Date: Thu Dec 1 11:10:39 EST 1994 - -This field is the address class. From the BOG - - - ...is the address class; currently, only one class - is supported: IN for internet addresses and other - internet information. Limited support is included for - the HS class, which is for MIT/Athena ``Hesiod'' - information. ------------------------------------------------------------------------------ - -Question 4.10. Top level domains - -Date: Fri Dec 6 15:13:35 EST 1996 - -A section from RFC 1591: - - 2. The Top Level Structure of the Domain Names - - In the Domain Name System (DNS) naming of computers there is a - hierarchy of names. The root of system is unnamed. There are a set - of what are called "top-level domain names" (TLDs). These are the - generic TLDs (EDU, COM, NET, ORG, GOV, MIL, and INT), and the two - letter country codes from ISO-3166. It is extremely unlikely that - any other TLDs will be created. - ------ - -[ Ed note: the ISO-3166 country codes may be found for anonymous ftp -from: - -* ftp.isi.edu : /in-notes/iana/assignments/country-codes -* ftp.ripe.net : /iso3166-codes - -] - -[ Ed note: Since the Internic started charging for registration services, -(and for other reasons) there are a number of groups that want to offer -an alternative to registering a domain under a "standard" TLD. More -information on some of these options may be found at: - -* http://www.alternic.net/ -* http://www.eu.org/ -* http://www.ml.org/mljoin.html - -You may participate in one of the discussions on iTLD proposals at - -* To sign up: http://www.newdom.com/lists -* Old postings: http://www.newdom.com/archive - -] - ------ - - ... - Under each TLD may be created a hierarchy of names. Generally, under - the generic TLDs the structure is very flat. That is, many - organizations are registered directly under the TLD, and any further - structure is up to the individual organizations. - - In the country TLDs, there is a wide variation in the structure, in - some countries the structure is very flat, in others there is - substantial structural organization. In some country domains the - second levels are generic categories (such as, AC, CO, GO, and RE), - in others they are based on political geography, and in still others, - organization names are listed directly under the country code. The - organization for the US country domain is described in RFC 1480. - - Each of the generic TLDs was created for a general category of - organizations. The country code domains (for example, FR, NL, KR, - US) are each organized by an administrator for that country. These - administrators may further delegate the management of portions of the - naming tree. These administrators are performing a public service on - behalf of the Internet community. Descriptions of the generic - domains and the US country domain follow. - - Of these generic domains, five are international in nature, and two - are restricted to use by entities in the United States. - - World Wide Generic Domains: - - COM - This domain is intended for commercial entities, that is - companies. This domain has grown very large and there is - concern about the administrative load and system performance if - the current growth pattern is continued. Consideration is - being taken to subdivide the COM domain and only allow future - commercial registrations in the subdomains. - - EDU - This domain was originally intended for all educational - institutions. Many Universities, colleges, schools, - educational service organizations, and educational consortia - have registered here. More recently a decision has been taken - to limit further registrations to 4 year colleges and - universities. Schools and 2-year colleges will be registered - in the country domains (see US Domain, especially K12 and CC, - below). - - NET - This domain is intended to hold only the computers of network - providers, that is the NIC and NOC computers, the - administrative computers, and the network node computers. The - customers of the network provider would have domain names of - their own (not in the NET TLD). - - ORG - This domain is intended as the miscellaneous TLD for - organizations that didn't fit anywhere else. Some non- - government organizations may fit here. - - INT - This domain is for organizations established by international - treaties, or international databases. - - United States Only Generic Domains: - - GOV - This domain was originally intended for any kind of government - office or agency. More recently a decision was taken to - register only agencies of the US Federal government in this - domain. State and local agencies are registered in the country - domains (see US Domain, below). - - MIL - This domain is used by the US military. - - Example country code Domain: - - US - As an example of a country domain, the US domain provides for - the registration of all kinds of entities in the United States - on the basis of political geography, that is, a hierarchy of - <entity-name>.<locality>.<state-code>.US. For example, - "IBM.Armonk.NY.US". In addition, branches of the US domain are - provided within each state for schools (K12), community - colleges (CC), technical schools (TEC), state government - agencies (STATE), councils of governments (COG),libraries - (LIB), museums (MUS), and several other generic types of - entities (see RFC 1480 for details). - - -A section from RFC 1480: - - 2. NAMING STRUCTURE - - The US Domain hierarchy is based on political geography. The - basic name space under US is the state name space, then the - "locality" name space, (like a city, or county) then - organization or computer name and so on. - - For example: - - BERKELEY.CA.US - PORTLAND.WA.US - - There is of course no problem with running out of names. - - The things that are named are individual computers. - - If you register now in one city and then move, the database can - be updated with a new name in your new city, and a pointer can - be set up from your old name to your new name. This type of - pointer is called a CNAME record. - - The use of unregistered names is not effective and causes problems - for other users. Inventing your own name and using it without - registering is not a good idea. - - In addition to strictly geographically names, some special names - are used, such as FED, STATE, AGENCY, DISTRICT, K12, LIB, CC, - CITY, and COUNTY. Several new name spaces have been created, - DNI, GEN, and TEC, and a minor change under the "locality" name - space was made to the existing CITY and COUNTY subdomains by - abbreviating them to CI and CO. A detailed description - follows. - - Below US, Parallel to States: - ----------------------------- - - "FED" - This branch may be used for agencies of the federal - government. For example: <org-name>.<city>.FED.US - - "DNI" - DISTRIBUTED NATIONAL INSTITUTES - The "DNI" branch was - created directly under the top-level US. This branch is to be used - for distributed national institutes; organizations that span state, - regional, and other organizational boundaries; that are national in - scope, and have distributed facilities. For example: - <org-name>.DNI.US. - - Name Space Within States: - ------------------------ - - "locality" - cities, counties, parishes, and townships. Subdomains - under the "locality" would be like CI.<city>.<state>.US, - CO.<county>.<state>.US, or businesses. For example: - Petville.Marvista.CA.US. - - "CI" - This branch is used for city government agencies and is a - subdomain under the "locality" name (like Los Angeles). For example: - Fire-Dept.CI.Los-Angeles.CA.US. - - "CO" - This branch is used for county government agencies and is a - subdomain under the "locality" name (like Los Angeles). For example: - Fire-Dept.CO.San-Diego.CA.US. - - "K12" - This branch may be used for public school districts. A - special name "PVT" can be used in the place of a school district name - for private schools. For example: <school-name>.K12.<state>.US and - <school-name>.PVT.K12.<state>.US. - - "CC" - COMMUNITY COLLEGES - This branch was established for all state - wide community colleges. For example: <school-name>.CC.<state>.US. - - "TEC" - TECHNICAL AND VOCATIONAL SCHOOLS - The branch "TEC" was - established for technical and vocational schools and colleges. For - example: <school-name>.TEC.<state>.US. - - "LIB" - LIBRARIES (STATE, REGIONAL, CITY, COUNTY) - This branch may - be used for libraries only. For example: <lib-name>.LIB.<state>.US. - - "STATE" - This branch may be used for state government agencies. For - example: <org-name>.STATE.<state>.US. - - "GEN" - GENERAL INDEPENDENT ENTITY - This branch is for the things - that don't fit easily into any other structure listed -- things that - might fit in to something like ORG at the top-level. It is best not - to use the same keywords (ORG, EDU, COM, etc.) that are used at the - top-level to avoid confusion. GEN would be used for such things as, - state-wide organizations, clubs, or domain parks. For example: - <org-name>.GEN.<state-code>.US. - -The application form for the US domain may be found: - -* for anonymous ftp from internic.net : /templates/us-domain-template.txt -* http://www.isi.edu/us-domain/ - -The application form for the EDU, COM, NET, ORG, and GOV domains may be -found for anonymous ftp from: - -internic.net : /templates/domain-template.txt - ------------------------------------------------------------------------------ - -Question 4.11. Classes of networks - -Date: Wed Sep 4 22:59:27 EDT 1996 - -The usage of 'classes of networks' (class A, B, C) are historical and have -been replaced by CIDR blocks on the Internet. That being said... - -An Internet Protocol (IP) address is 32 bit in length, divided into two -or three parts (the network address, the subnet address (if present), and -the host address. The subnet addresses are only present if the network -has been divided into subnetworks. The length of the network, subnet, and -host field are all variable. - -There are five different network classes. The leftmost bits indicate the -class of the network. - - # of # of - bits in bits in - network host -Class field field Internet Protocol address in binary Ranges -============================================================================ - A 7 24 0NNNNNNN.HHHHHHHH.HHHHHHHH.HHHHHHHH 1-127.x.x.x - B 14 16 10NNNNNN.NNNNNNNN.HHHHHHHH.HHHHHHHH 128-191.x.x.x - C 22 8 110NNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH 192-223.x.x.x - D NOTE 1 1110xxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx 224-239.x.x.x - E NOTE 2 11110xxx.xxxxxxxx.xxxxxxxx.xxxxxxxx 240-247.x.x.x - - where N represents part of the network address and H represents part of - the host address. When the subnet address is defined, the needed bits - are assigned from the host address space. - - NOTE 1: Reserved for multicast groups - RFC 1112 - NOTE 2: Reserved for future use - - 127.0.0.1 is reserved for local loopback. - ------------------------------------------------------------------------------ - -Question 4.12. What is CIDR ? - -Date: Tue Nov 5 23:47:29 EST 1996 - -CIDR is "Classless Inter-Domain Routing (CIDR). From RFC 1517: - - ...Classless Inter-Domain Routing (CIDR) attempts to deal with - these problems by defining a mechanism to slow the growth of - routing tables and reduce the need to allocate new IP network - numbers. - -Much more information may be obtained in RFCs 1467, 1517, 1518, 1520; -with primary reference 1519. - -Also please see the CIDR FAQ at - -* http://www.ibm.net.il/~hank/cidr.html -* http://www.rain.net/faqs/cidr.faq.html -* http://www.lab.unisource.ch/services/internet/direct/cidr.html - ------------------------------------------------------------------------------ - -Question 4.13. What is the rule for glue ? - -Date: Fri Apr 28 13:31:24 EDT 1995 - -A glue record is an A record for a name that appears on the right-hand -side of a NS record. So, if you have this: - - - sub.foobar.com. IN NS dns.sub.foobar.com. - dns.sub.foobar.com. IN A 1.2.3.4 - -then the second record is a glue record (for the NS record above it). - -You need glue records when -- and only when -- you are delegating -authority to a nameserver that "lives" in the domain you are delegating -*and* you aren't a secondary server for that domain. - -In other words, in the example above, you need to add an A record for -dns.sub.foobar.com since it "lives" in the domain it serves. This boot -strapping information is necessary: How are you supposed to find out the -IP address of the nameserver for domain FOO if the nameserver for FOO -"lives" in FOO? - -If you have this NS record: - - sub.foobar.com. IN NS dns.xyz123.com. - -you do NOT need a glue record, and, in fact, adding one is a very bad -idea. If you add one, and then the folks at xyz123.com change the -address, then you will be passing out incorrect data. - -Also, unless you actually have a machine called something.IN-ADDR.ARPA, -you will never have any glue records present in any of your "reverse" -files. - -There is also a sort of implicit glue record that can be useful (or -confusing :^) ). If the parent server (abc.foobar.com domain in example -above) is a secondary server for the child, then the A record will be -fetched from the child server when the zone transfer is done. The glue is -still there but it's a little different, it's in the ip address in the -named.boot line instead of explicitly in the data. In this case you can -leave out the explicit glue A record and leave the manually configured -"glue" in just the one place in the named.boot file. - -RFC 1537 says it quite nicely: - - 2. Glue records - - Quite often, people put unnecessary glue (A) records in their - zone files. Even worse is that I've even seen *wrong* glue records - for an external host in a primary zone file! Glue records need only - be in a zone file if the server host is within the zone and there - is no A record for that host elsewhere in the zone file. - - Old BIND versions ("native" 4.8.3 and older versions) showed the - problem that wrong glue records could enter secondary servers in - a zone transfer. - - -The remainder of the FAQ is in the next part (Part 2 of 2). - |