Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 230703 Details for
Bug 302361
net-dns/bind-9.7 version bump request
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
net-dns/bind/files/named.conf-r4
named.conf-r4 (text/plain), 19.26 KB, created by
Stevan Bajić
on 2010-05-07 15:20:01 UTC
(
hide
)
Description:
net-dns/bind/files/named.conf-r4
Filename:
MIME Type:
Creator:
Stevan Bajić
Created:
2010-05-07 15:20:01 UTC
Size:
19.26 KB
patch
obsolete
>// Refer to the named.conf(5) and named(8) man pages, and the documentation >// in /usr/share/doc/bind-9.*/ for more details. >// >// If you are going to set up an authoritative server, make sure you >// understand the hairy details of how DNS works. Even with simple mistakes, >// you can break connectivity for affected parties, or cause huge amounts of >// useless Internet traffic. > >options { > // All file and path names are relative to the chroot directory, if > // any, and should be fully qualified. > directory "/var/bind"; > pid-file "/var/run/named/named.pid"; > >// If you have IPv6 enabled on this system, uncomment this option for use as a >// local resolver. To give access to the network, specify an IPv6 address (use >// '::1' for IPv6 localhost), or the keyword 'any', or use 'none' for no IPv6. > listen-on-v6 { "none"; }; > >// If named is being used only as a local resolver, this is a safe default. For >// named to be accessible to the network, comment this option, specify the >// proper IP address, or delete this option. > listen-on { 127.0.0.1; }; > >// If you've got a DNS server around at your upstream provider, enter its >// IP address here, and enable the line below. This will make you benefit >// from its cache, thus reduce overall DNS traffic in the Internet. >// >// Uncomment the following lines to turn on DNS forwarding, and change >// and/or update the forwarding ip address(es): >/* > forwarders { > 123.123.123.123; // Your ISP NS > 124.124.124.124; // Your ISP NS > 4.2.2.1; // Level3 Public DNS > 4.2.2.2; // Level3 Public DNS > 8.8.8.8; // Google Open DNS > 8.8.4.4; // Google Open DNS > }; >*/ > >// If the 'forwarders' clause is not empty the default is to 'forward first' >// which will fall back to sending a query from your local server if the name >// servers in 'forwarders' do not have the answer. Alternatively you can >// force your name server to never initiate queries of its own by enabling the >// following line: >// forward only; > >// These zones are already covered by the empty zones listed below. >// If you remove the related empty zones below, comment these lines >// out. > disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; > disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; > disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; > >// Usage of this DNS server limited to members of: >/* > allow-query { > 127.0.0.0/8; > ::1/128; > }; >*/ > >// Global notification >/* > also-notify { > 12.34.56.78; > }; >*/ > >// Zone tranfers limited to members of: > allow-transfer { > "xfer"; // "xfer" ACL (see below) > "trusted"; // "trusted" ACL (see below) > }; > >// Limit which client can use recursion to members of: > allow-recursion { > "trusted"; // "trusted" ACL (see below) > }; > >// Deny anything from the bogon networks as detailed in the "bogon" ACL. > blackhole { > "bogon"; // "bogon" ACL (see below) > }; > >// Turn on dnssec awareness > // dnssec-enable yes; > >/* Modern versions of BIND use a random UDP port for each outgoing query > by default in order to dramatically reduce the possibility of cache > poisoning. > All users are strongly encouraged to utilize this feature, and to > configure their firewalls to accommodate it. > > AS A LAST RESORT in order to get around a restrictive firewall policy > you can try enabling the option below. Use of this option will > significantly reduce your ability to withstand cache poisoning attacks, > and should be avoided if at all possible. > > Replace NNNNN in the example with a number between 49160 and 65530. >*/ >// query-source address * port NNNNN; > >}; > >include "/etc/bind/rndc.key"; > >controls { > inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; }; >}; > >// If you need logging with BIND the enable the sections below and change to >// fit your logging requirements. >/* >logging { > > // Logging channels > channel file_query_log { > file "/var/log/named/query.log" versions 5 size 50M; > severity info; > print-time yes; > print-severity yes; > }; > channel file_bind_log { > file "/var/log/named/bind.log" versions 20 size 50M; > severity info; > print-time yes; > print-category yes; > print-severity yes; > }; > > // Common Logging Categories > category default { > // Options for those categories where no specific > // configuration has been defined. > file_bind_log; > }; > category config { > // Configuration file parsing and processing. > file_bind_log; > }; > category queries { > // Short query logging. > file_query_log; > }; > category lame-servers { > // These are misconfigurations in remote servers, > // discovered by the BIND name server when trying > // to query those servers during resolution. > null; > }; > category update { > // Dynamic updates. > file_bind_log; > }; > category xfer-in { > // Zone transfers the server is receiving. > file_bind_log; > }; > category xfer-out { > // Zone transfers the server is sending. > file_bind_log; > }; > category security { > // Approval and denial of requests. > file_bind_log; > }; > > // Logging Categories for BIND 9 only > category client { > // Processing of client requests. > file_bind_log; > }; > category database { > // Messages relating to the databases used > // internally by the name server to store > // zone and cache data. > file_bind_log; > }; > category dispatch { > // Dispatching of incoming packets to the > // server modules where they are to be processed. > file_bind_log; > }; > category dnssec { > // DNSSEC and TSIG protocol processing. > file_bind_log; > }; > category general { > // The catch-all. > file_bind_log; > }; > category network { > // Network operations. > file_bind_log; > }; > category resolver { > // DNS resolution, such as the recursive lookups > // performed on behalf of clients by a caching > // name server. > file_bind_log; > }; > category unmatched { > // Messages that named was unable to determine > // the class of or for which there was no matching > // view. A one line summary is also logged to the > // client category. > file_bind_log; > }; >}; >*/ > >// BIND acl (Access Control List) clause available in BIND 9.x. The 'acl' >// clause allows fine-grained control over what hosts or users may perform >// what operations on the name server. >acl "bogon" { >/* Filter out the bogon networks. These are networks listed by IANA as test, > RFC1918, Multicast, experimental, etc. If you see DNS queries or updates > with a source address within these networks, this is likely of malicious > origin. > > CAUTION: If you are using RFC1918 netblocks on your network, remove those > netblocks from this list of blackhole ACLs! > > For a full list visit: > http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml >*/ > 0.0.0.0/8; > 1.0.0.0/8; > 2.0.0.0/8; > 10.0.0.0/8; > 169.254.0.0/16; > 172.16.0.0/12; > 192.0.2.0/24; > 192.168.0.0/16; > 224.0.0.0/3; > 240.0.0.0/4; >}; > >acl "xfer" { > /* Allow no transfers. If we have other name servers, place them here. */ > // 127.0.0.1/32; > // ::1/128; > "none"; >}; > >acl "trusted" { > 127.0.0.0/8; > ::1/128; >}; > >/* Example of a RFC1918 network range >acl "mylocalnet" { > 192.168.0.0/24; >}; >*/ > >// If you enable a local name server, don't forget to enter 127.0.0.1 first in >// your /etc/resolv.conf so this server will be queried. Also, make sure to >// enable it at startup: rc-update add named default > >// Example of a internal/restricted view >view "internal" { > // Allow only trusted clients to use the internal view > match-clients { "trusted"; }; > > // The traditional root hints mechanism. Use this, OR the slave zones below. > zone "." IN { type hint; file "named.cache"; }; > > /* Slaving the following zones from the root name servers has some > significant advantages: > 1. Faster local resolution for your users > 2. No spurious traffic will be sent from your network to the roots > 3. Greater resilience to any potential root server failure/DDoS > > On the other hand, this method requires more monitoring than > the hints file to be sure that an unexpected failure mode has > not incapacitated your server. Name servers that are serving a > lot of clients will benefit more from this approach than > individual hosts. Use with caution. > > To use this mechanism, uncomment the entries below, and comment > the hint zone above. > */ > /* > zone "." IN { > type slave; > file "sec/root.zone"; > masters { > 192.5.5.241; // F.ROOT-SERVERS.NET. > }; > notify no; > }; > zone "arpa" IN { > type slave; > file "sec/arpa.zone"; > masters { > 192.5.5.241; // F.ROOT-SERVERS.NET. > }; > notify no; > }; > zone "in-addr.arpa" IN { > type slave; > file "sec/in-addr.arpa.zone"; > masters { > 192.5.5.241; // F.ROOT-SERVERS.NET. > }; > notify no; > }; > */ > > /* Serving the following zones locally will prevent any queries > for these zones leaving your network and going to the root > name servers. This has two significant advantages: > 1. Faster local resolution for your users > 2. No spurious traffic will be sent from your network to the roots > */ > // RFC 1912 (and BCP 32 for localhost) > zone "localhost" IN { type master; file "pri/localhost.zone"; }; > zone "127.in-addr.arpa" IN { type master; file "pri/127.zone"; }; > zone "255.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > > // RFC 1912-style zone for IPv6 localhost address > zone "0.ip6.arpa" IN { type master; file "pri/127.zone"; }; > > // "This" Network (RFCs 1912 and 3330) > zone "0.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > > // Private Use Networks (RFC 1918) > zone "10.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "16.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "17.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "18.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "19.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "20.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "21.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "22.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "23.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "24.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "25.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "26.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "27.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "28.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "29.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "30.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "31.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "168.192.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > > // Link-local/APIPA (RFCs 3330 and 3927) > zone "254.169.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > > // TEST-NET-[1-3] for Documentation (RFC 5737) > zone "2.0.192.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "100.51.198.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "113.0.203.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > > // IPv6 Range for Documentation (RFC 3849) > zone "0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > > // Domain Names for Documentation and Testing (BCP 32) > zone "test" IN { type master; file "pri/empty.zone"; }; > zone "example" IN { type master; file "pri/empty.zone"; }; > zone "invalid" IN { type master; file "pri/empty.zone"; }; > zone "example.com" IN { type master; file "pri/empty.zone"; }; > zone "example.net" IN { type master; file "pri/empty.zone"; }; > zone "example.org" IN { type master; file "pri/empty.zone"; }; > > // Router Benchmark Testing (RFC 3330) > zone "18.198.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "19.198.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > > // IANA Reserved - Old Class E Space > zone "240.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "241.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "242.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "243.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "244.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "245.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "246.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "247.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "248.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "249.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "250.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "251.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "252.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "253.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > zone "254.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; > > // IPv6 Unassigned Addresses (RFC 4291) > zone "1.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "3.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "4.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "5.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "6.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "7.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "8.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "9.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "a.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "b.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "c.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "d.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "e.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "0.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "1.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "2.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "3.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "4.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "5.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "6.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "7.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "8.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "9.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "a.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "b.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "0.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "1.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "2.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "3.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "4.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "5.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "6.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "7.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > > // IPv6 ULA (RFC 4193) > zone "c.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "d.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > > // IPv6 Link Local (RFC 4291) > zone "8.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "9.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "a.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "b.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > > // IPv6 Deprecated Site-Local Addresses (RFC 3879) > zone "c.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "d.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "e.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > zone "f.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; > > // IP6.INT is Deprecated (RFC 4159) > zone "ip6.int" IN { type master; file "pri/empty.zone"; }; > > /* Briefly, a zone which has been declared delegation-only will be > effectively limited to containing NS RRs for subdomains, but no > actual data beyond its own apex (for example, its SOA RR and > apex NS RRset). This can be used to filter out "wildcard" or > "synthesized" data from NAT boxes or from authoritative name > servers whose undelegated (in-zone) data is of no interest. > > See http://www.isc.org/products/BIND/delegation-only.html for more info > */ > //zone "COM" IN { type delegation-only; }; > //zone "NET" IN { type delegation-only; }; > > // NB: Do not use the IP addresses below, they are faked, and only > // serve demonstration/documentation purposes! > // > // Example slave zone config entries. It can be convenient to become a > // slave at least for the zone your own domain is in. Ask your network > // administrator for the IP address of the responsible master name > // server. > // > // Do not forget to include the reverse lookup zone! > // This is named after the first bytes of the IP address, in reverse > // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. > // > // Before starting to set up a master zone, make sure you fully under- > // stand how DNS and BIND work. There are sometimes non-obvious > // pitfalls. Setting up a slave zone is usually simpler. > // > // NB: Don't blindly enable the examples below. :-) Use actual names > // and addresses instead. > > /* Example of a dynamic zone > key "mynetlocalkey" { > algorithm hmac-md5; > secret "X+rpTqYj1RhAqamJqQEkqA=="; > }; > zone "mynet.local" IN { > type master; > allow-update { > key "mynetlocalkey"; > }; > file "pri/mynet.local.zone"; > }; > */ > > /* Example of a primary zone > zone "mynet.local" IN { > type master; > allow-update { > "none"; > }; > file "pri/mynet.local.zone"; > }; > */ > > /* Example of a slave reverse zone > zone "1.168.192.in-addr.arpa" IN { > type slave; > masters { > 192.168.1.1; > }; > file "sec/1.168.192.in-addr.arpa.zone"; > }; > */ >}; > >// Example of a public view >view "public" { > match-clients { > "any"; > }; > > zone "." IN { type hint; file "named.cache"; }; > > // NB: Do not use the IP addresses below, they are faked, and only > // serve demonstration/documentation purposes! > // > // Example slave zone config entries. It can be convenient to become a > // slave at least for the zone your own domain is in. Ask your network > // administrator for the IP address of the responsible master name > // server. > // > // Do not forget to include the reverse lookup zone! > // This is named after the first bytes of the IP address, in reverse > // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. > // > // Before starting to set up a master zone, make sure you fully under- > // stand how DNS and BIND work. There are sometimes non-obvious > // pitfalls. Setting up a slave zone is usually simpler. > // > // NB: Don't blindly enable the examples below. :-) Use actual names > // and addresses instead. > > /* Example of a dynamic zone > key "mydomainkey" { > algorithm hmac-md5; > secret "oxSW0LFJsazS0P5ezVnQ2A=="; > }; > zone "mydomain.com" IN { > type master; > allow-update { > key "mydomainkey"; > }; > file "pri/mydomain.com.zone"; > }; > */ > > /* Example of a primary zone > zone "mydomain.com" IN { > type master; > allow-update { > "none"; > }; > file "pri/mydomain.com.zone"; > }; > */ > > /* Example of a slave reverse zone > zone "56.34.12.in-addr.arpa" IN { > type slave; > masters { > 12.34.56.78; > }; > file "sec/56.34.12.in-addr.arpa.zone"; > }; > */ >};
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 302361
:
218457
|
218459
|
220783
|
230685
|
230687
|
230689
|
230691
|
230693
|
230695
|
230697
|
230699
|
230701
| 230703 |
230705
|
230707