DNS records are organized in zones; each zone matches either a domain (or a subdomain) or an IP address range (since IP addresses are generally allocated in consecutive ranges). A primary server is authoritative on the contents of a zone; secondary servers, usually hosted on separate machines, provide regularly refreshed copies of the primary zone.

    Each zone can contain records of various kinds (Resource Records):

    • CNAME: alias (canonical name).

    • MX: mail exchange, an email server. This information is used by other email servers to find where to send email addressed to a given address. Each MX record has a priority. The highest-priority server (with the lowest number) is tried first (see sidebar ); other servers are contacted in order of decreasing priority if the first one does not reply.

    • AAAA: IPv6 address.

    • NS: maps a name to a name server. Each domain must have at least one NS record. These records point at a DNS server that can answer queries concerning this domain; they usually point at the primary and secondary servers for the domain. These records also allow DNS delegation; for instance, the zone can include an NS record for internal.falcot.com, which means that the internal.falcot.com zone is handled by another server. Of course, this server must declare an internal.falcot.com zone.

    Furthermore, Bind supports the DNSSEC standard for signing (and therefore authenticating) DNS records, which allows blocking any spoofing of this data during man-in-the-middle attacks.

    CULTURE DNSSEC

    The DNSSEC norm is quite complex; this partly explains why it is not in widespread usage yet (even if it perfectly coexists with DNS servers unaware of DNSSEC). To understand all the ins and outs, you should check the following article.

    http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

    10.6.2. 配置

    Configuration files for bind, irrespective of version, have the same structure.

    The Falcot administrators created a primary falcot.com zone to store information related to this domain, and a 168.192.in-addr.arpa zone for reverse mapping of IP addresses in the local networks.

    CAUTION Names of reverse zones

    Reverse zones have a particular name. The zone covering the 192.168.0.0/16 network needs to be named 168.192.in-addr.arpa: the IP address components are reversed, and followed by the in-addr.arpa suffix.

    TIP Testing the DNS server

    The host command (in the bind9-host package) queries a DNS server, and can be used to test the server configuration. For example, host machine.falcot.com localhost checks the local server’s reply for the machine.falcot.com query. host *ipaddress* localhost tests the reverse resolution.

    The following configuration excerpts, taken from the Falcot files, can serve as starting points to configure a DNS server:

    例 10.12. Excerpt of /etc/bind/named.conf.local

    例 10.13. Excerpt of /etc/bind/db.falcot.com

    CAUTION Syntax of a name

    The syntax of machine names follows strict rules. For instance, machine implies machine.*domain*. If the domain name should not be appended to a name, said name must be written as machine. (with a dot as suffix). Indicating a DNS name outside the current domain therefore requires a syntax such as (with the final dot).

    例 10.14. Excerpt of /etc/bind/db.192.168