Revision [1109]
This is an old revision of Tier1ServerConfig made by ChristopherTheodore on 2008-02-04 21:29:12.
This tutorial presumes that:
A Tier 1 Server or Top Level Domain Server, is any server that is an authoritative name server and can provide an IXFR/AXFR for a Top Level Domain (TLD) Zone, and it may be configured as either a Primary Master (zone "type master;") or a Secondary Master (zone "type slave;"). This tutorial will be focused on configuring the Primary Master Zone for a Top Level Domain on Bind 9.- You have Bind 9 installed and it is being run in a chroot located at /var/named and that named.conf reside at /var/named/etc/namedb/named.conf,
- You have rndc working and know how to use it.
- Your server is configured as a Tier 0 or root server. See the Tier0ServerConfig
- You have read the main portions of the BIND 9 Administrator Reference Manual and that you comprehend the subtle difference between a "domain" and a "zone".
- You have at least one static IP Address
- You have a 24/7 DSL internet connection or better.
- You have both a mail server and a web server up an running. (this can all be done on a single machine if that is all you have)
As a quick note: The term "Tier", while being used to describe a name server, is not a "type of name server", it is referring to a name server that is an authoritative name server for a particular "Zone". There is the single Tier 0 zone (or "Root Zone" - ie: . ), and then there are a few Tier 1 zones (or "Top Level Domain Zone" - ie com. org. geek. oss. ukg. etc...), and then there many Tier 2 zones (or Domain Name Zones - ie: example.com.). You will likely notice that Tier 1 Servers are also configured as Secondary Masters for the zone "." (zone "type slave";), and that they will also be both Primary Masters and Secondary Masters for any number of Domain Name Zones as well (both zone "type master;" and "type slave;"). This would qualify them as being both Tier 0 and Tier 2 servers, or a Tier 0/1/2 Server. For simplicity, we simply call them Tier 1 Servers.
Due to the fact that you will not be able to resolve and test your Top Level Domain or Domain Names until your TLD is added to the root zone file, you will need to configure your server as a Tier 0 Server first. See the Tier0ServerConfig page and then come back to this page.
While named.conf has many sections and configuration directives, we will only be focused on the portions relevant to setting up the initial Top Level Domain zone, a few key options {}; relevent to Tier 1 Servers, and the minimum Resource Record Set (RRset) for the TLD's Zone Master File. Hosting of a domain name zone locally, and the delegation of a domain name to a Tier 2 server's domain name zone will also be covered.
We will be using the fictional Top Level Domain zone .TLD, local.TLD. and delegated.TLD. for the domain zones, and the Static IP 12.34.56.78 in the examples below.
Make sure you have the dir /var/named/etc/namedb/master and if not create it. Because a TLD zone will have many more records and zone files you will find it useful to also create /var/named/etc/namedb/master/TLD for the many zone records and include files that will be created as more domain names are created on the TLD. Also, all path names in both named.conf and the zone files are relative to the chroot environment.
The the basic set of options and zone entry in named.conf are very simple and if you are not familiar with an option, do see the Bind Manual as they will not be being explained in depth, if at all:
/var/named/namedb/named.conf
options {
directory "/etc/namedb";
key-directory "/etc/namedb/keys";
pid-file "/var/run/named/pid";
version "BIND 9 - alt-DNS";
listen-on { 10.0.0.1; 12.34.56.78; };
query-source address * port 53;
#listen-on-v6 { none; };
#query-source-v6 address * port 53;
allow-query { any; };
transfer-format many-answers;
multi-master yes;
recursion yes; # you may decide later to disable this.
dump-file "logs/dump.db";
statistics-file "logs/stats.db";
minimal-responses no;
provide-ixfr yes;
request-ixfr yes;
max-cache-size 104857600; # This is in bytes
dnssec-enable yes; # We care about security and use DNSSEC
dnssec-lookaside . trust-anchor dlv.isc.org.;
auth-nxdomain yes;
};
include "logging.conf";
# RNDC
controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; };
include "keys/rndc.key"; # this file also has the admin.TLD. key, used below, in it.
# This is used for DNSSEC Lookaside Validation (DVL) and muct be configured - see https://secure.isc.org/index.pl?/ops/dlv/
trusted-keys { dlv.isc.org. "You will need the key located here: https://secure.isc.org/ops/dlv/dlv.isc.org.named.conf"; };
# Tier 0 - Root Zone
zone "." {
type master; # This will be changed to type slave after your TLD is proposed and added to the root.
file "alt.root";
# masters { 66.150.224.233; 58.6.115.46; 58.6.115.45; 216.87.84.214; }; # uncomment when zone type is changed to "slave".
notify no;
};
# Tier 1 - TLD Primary Masters
zone "TLD." {
type master;
file "master/TLD/TLD.db"
allow-update { key admin.TLD.; }
notify yes;
};
# Tier 2 - Domain Primary Masters
zone "local.TLD." {
type master;
file "master/TLD/local.TLD.db";
allow-update { key admin.TLD.; };
notify yes;
};
<..snip..>
directory "/etc/namedb";
key-directory "/etc/namedb/keys";
pid-file "/var/run/named/pid";
version "BIND 9 - alt-DNS";
listen-on { 10.0.0.1; 12.34.56.78; };
query-source address * port 53;
#listen-on-v6 { none; };
#query-source-v6 address * port 53;
allow-query { any; };
transfer-format many-answers;
multi-master yes;
recursion yes; # you may decide later to disable this.
dump-file "logs/dump.db";
statistics-file "logs/stats.db";
minimal-responses no;
provide-ixfr yes;
request-ixfr yes;
max-cache-size 104857600; # This is in bytes
dnssec-enable yes; # We care about security and use DNSSEC
dnssec-lookaside . trust-anchor dlv.isc.org.;
auth-nxdomain yes;
};
include "logging.conf";
# RNDC
controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; };
include "keys/rndc.key"; # this file also has the admin.TLD. key, used below, in it.
# This is used for DNSSEC Lookaside Validation (DVL) and muct be configured - see https://secure.isc.org/index.pl?/ops/dlv/
trusted-keys { dlv.isc.org. "You will need the key located here: https://secure.isc.org/ops/dlv/dlv.isc.org.named.conf"; };
# Tier 0 - Root Zone
zone "." {
type master; # This will be changed to type slave after your TLD is proposed and added to the root.
file "alt.root";
# masters { 66.150.224.233; 58.6.115.46; 58.6.115.45; 216.87.84.214; }; # uncomment when zone type is changed to "slave".
notify no;
};
# Tier 1 - TLD Primary Masters
zone "TLD." {
type master;
file "master/TLD/TLD.db"
allow-update { key admin.TLD.; }
notify yes;
};
# Tier 2 - Domain Primary Masters
zone "local.TLD." {
type master;
file "master/TLD/local.TLD.db";
allow-update { key admin.TLD.; };
notify yes;
};
<..snip..>
Now that we have added some options {}; and the needed zone entries in named.conf, it is time to focus on the content of the zone files "TLD.db" and "local.TLD.db". Note that there is no zone for "delegated.TLD." as domain names that are hosted on other servers don't need a zone configured on your server. There delegation of a domain name will be covered later.
The first we will look at TLD.db from a (non-chroot prespective), which is /var/named/etc/namedb/master/TLD/TLD.db
Note that in all the configuration files and zone files that the paths are relevant to the chroot environment. So from binds prespective, this file is located at: /etc/namedb/master/TLD/TLD.db
It uses the same Zone File Directives as any zone file, but due to the fact that it is going to contain many resource records for many domain names, we must take this into consideration before the file is full of 1000's for records. Note the use of the $INCLUDE directive in this file which will be explained below.
/var/named/namedb/master/TLD/TLD.db
$TTL 3h
TLD. IN SOA ns0.dns.TLD. hostmaster.mail.dns.TLD. ( 2008012512 1800 900 604800 900 )
IN NS ns0.dns.TLD
MX 10 mail.dns.TLD
IN TXT ".TLD - An alt-root TLD - http://www.dns.TLD"
; SYNTAX: $INCLUDE [FILENAME] [ORIGIN] [COMMENT]
$INCLUDE /etc/namedb/master/TLD/dns.TLD.inc dns.TLD. ;contins records used in the SOA
$INCLUDE /etc/namedb/master/TLD/delegated.TLD.inc delegated.TLD. ; used for delegating this to another name servers
TLD. IN SOA ns0.dns.TLD. hostmaster.mail.dns.TLD. ( 2008012512 1800 900 604800 900 )
IN NS ns0.dns.TLD
MX 10 mail.dns.TLD
IN TXT ".TLD - An alt-root TLD - http://www.dns.TLD"
; SYNTAX: $INCLUDE [FILENAME] [ORIGIN] [COMMENT]
$INCLUDE /etc/namedb/master/TLD/dns.TLD.inc dns.TLD. ;contins records used in the SOA
$INCLUDE /etc/namedb/master/TLD/delegated.TLD.inc delegated.TLD. ; used for delegating this to another name servers
As was mentioned above, this is a minimal Resource Record set for a TLD. You will more then likely have another MX record and many more NS records as most of the admin of other TLDs in the alt-root are willing to setup Secondary Masters for other TLDs.
Also, while any hostname could have been used in the SOA Record, due to the fact that a uniform naming convention eases web site development, software development, and other coordination, all TLDs (regardless of the Sponsor - OpenNIC or another Orginization) are hopefully using the host name ns0.dns.[TLD] for the Primary Master of the TLD.
In addition to the "ns0" sub-domain, there is also expected to be:
- a mail server accepting mail at mail.dns.[TLD] for hostmaster@mail.dns.[TLD] and abuse@mail.dns.[TLD], and;
- a web server at www.dns.[TLD] with the TLDs Charter and WHOIS information published at http://www.dns.[TLD]/charter.html
The $INCLUDE FILE: dns.TLD.inc
Now, the first of the 2 files included with the $INCLUDE Directives holds the Resource Records for the hostnames in the TLD's SOA, NS, and MX records. This file works very much like using the Directive: $ORIGIN dns.TLD. would, it is as if the records in this file were in the TLD.db file following an $ORIGIN dns.TLD. Directive.
With that in mind, the use of "@" in this file will be interpreted as "dns.TLD." and domain names that are not fully terminated (that do not end with a "."), will have "dns.TLD." appended to them. For example, "mail" will be interpreted as "mail.dns.[TLD]."
Time to look at the contents of the dns.TLD.inc include file:
/var/named/namedb/master/TLD/dns.TLD.inc
@ IN A 12.34.56.78
@ MX 10 12.34.56.78
ns0 IN A 12.34.56.78
mail IN A 12.34.56.78
www CNAME @
@ MX 10 12.34.56.78
ns0 IN A 12.34.56.78
mail IN A 12.34.56.78
www CNAME @
Obviously if you have more then one static IP you would add ns1 and ns2 records or use an A Record for the www. Again, this is the minimal set of records needed to setup the Tier 1 zone.
delegated.TLD.inc
....
