Most BIND implementations only use named to provide name resolution services or to act
as an authority for a particular domain or sub-domain. However,
BIND version 9 has a number of advanced features that allow for a
more secure and efficient DNS service.
 |
Caution |
| |
Some of these advanced features, such as DNSSEC, TSIG, and IXFR
(which are defined in the following section), should only be used
in network environments with nameservers that support the features.
If the network environment includes non-BIND or older BIND
nameservers, verify that each advanced feature is supported before
attempting to use it.
|
All of the features mentioned are discussed in greater detail in
the BIND 9 Administrator Reference Manual
referenced in Section
12.7.1 Installed Documentation.
BIND supports Incremental Zone Transfers (IXFR), where a slave
nameserver only downloads the updated portions of a zone modified
on a master nameserver. The standard transfer process requires that
the entire zone be transferred to each slave nameserver for even
the smallest change. For very popular domains with very lengthy
zone files and many slave nameservers, IXFR makes the notification
and update process much less resource intensive.
Note that IXFR is only available when using dynamic updating to make changes to master zone
records. If manually editing zone files to make changes, Automatic
Zone Transfer (AXFR) is used. More information on dynamic updating
is available in the BIND 9 Administrator
Reference Manual. See Section
12.7.1 Installed Documentation for more information.
Through the use of the view statement
in named.conf, BIND can present different
information depending which network a request originates from.
This is primarily used to deny sensitive DNS entries from
clients outside of the local network, while allowing queries from
clients inside the local network.
The view statement uses the match-clients option to match IP addresses or entire
networks and give them special options and zone data.
BIND supports a number of different methods to protect the
updating and transfer of zones, on both master and slave
nameservers:
-
DNSSEC — Short for DNS SECurity, this feature allows for zones to be
cryptographically signed with a zone
key.
In this way, the information about a specific zone can be
verified as coming from a nameserver that has signed it with a
particular private key, as long as the recipient has that
nameserver's public key.
BIND version 9 also supports the SIG(0) public/private key
method of message authentication.
-
TSIG — Short for Transaction SIGnatures, this feature allows a
transfer from master to slave only after verifying that a shared
secret key exists on both nameservers.
This feature strengthens the standard IP address-based method of
transfer authorization. An attacker would not only need to have
access to the IP address to transfer the zone, but they would also
need to know the secret key.
BIND version 9 also supports TKEY,
which is another shared secret key method of authorizing zone
transfers.
BIND version 9 supports name service in IP version 6 (IPv6)
environments through the use of A6 zone
records.
If the network environment includes both IPv4 and IPv6 hosts,
use the lwresd lightweight resolver daemon
on all network clients. This daemon is a very efficient,
caching-only nameserver which understands the new A6 and DNAME records used
under IPv6. Refer to the lwresd man page
for more information.
