Most BIND implementations only use named to provide
name resolution services or to act as an authority for a particular
domain or sub-domain. However, BIND version 9 has a number of advanced
features that, when properly configured and utilized, allow for a more
secure and efficient DNS service.
 | Caution |
|---|
| | Some of these advanced features, such as DNSSEC, TSIG, and IXFR,
should only be used in network environments with nameservers that
support the features. If your network environment includes non-BIND or
older BIND nameservers, check to see if a particular advanced feature
is available before attempting to use it.
Do not assume another type of nameserver supports all of these
features, as many do not.
|
All of the features discussed here are discussed in greater detail in
the BIND 9 Administrator Reference Manual. See
the section called Additional Resources for places to find this
manual.
BIND supports Incremental Zone Transfers
(IXFR), where slave nameserver will only download the
updated portions of a zone modified on a master nameserver. The
standard transfer AXFR process requires that the entire zone be
transferred to each slave nameserver for even the smallest change. For
very popular domains with very lengthy zone files and many slave
nameservers, IXFR makes the notification and update process much less
resource intensive.
Note that IXFR is only available if you are also using
dynamic updating to make changes to master zone
records. If you are manually editing zone files to make changes, AXFR
will be used. More information on dynamic updating is available in the
BIND 9 Administrator Reference Manual.
Through the use of the view statement in
/etc/named.conf, BIND allows you to configure a
nameserver to answer queries for some clients in a different way than
it answers them for others.
This is primarily useful if you would like clients external to your
network to not be able to perform a particular DNS service or see a
particular type of information, while at the same time allowing
internal clients to be able to do them.
The view statement uses the
match-clients option to match IP addresses or entire
networks and give them special options and zone data.
BIND supports a number of different methods to protect the updating
and transfer of zones, on both master and slave nameservers:
DNSSEC — Short for DNS
SECurity, this feature allows for zones to be
cryptographically signed with a zone key.
In this way, the information about a specific zone can be verified
as coming from a nameserver that has signed it with a particular
private key, as long as the recipient has that nameserver's public
key.
BIND version 9 also supports the SIG(0) public/private key method
of message authentication.
TSIG — Short for Transaction
SIGnatures, a shared secret key exists on the master
and slave server, verifying that a transfer from master to slave
is authorized.
This feature strengthens the standard IP address-based method of
transfer authorization. An attacker would not only need to have
access to the IP address to transfer the zone, but they would also
need to know the secret key.
BIND version 9 also support TKEY, which is
another shared secret key method of authorizing zone transfers.
BIND version 9 can provide nameservice in IP version 6 (IPv6)
environments, through the use of A6 zone records.
If your network environment includes both IPv4 and IPv6 hosts, you
should use the lwresd lightweight resolver daemon
on your network clients. This daemon is essentially a very efficient,
caching-only nameserver, which understands the new A6
and DNAME records used with IPv6. See the
lwresd man page for more information.
