17.2.5. Advanced Features of BIND
Most BIND implementations only use the
named
service to provide name resolution services or to act as an authority for a particular domain. However, BIND version 9 has a number of advanced features that allow for a more secure and efficient DNS service.
Important
Before attempting to use advanced features like DNSSEC, TSIG, or IXFR (Incremental Zone Transfer), make sure that the particular feature is supported by all nameservers in the network environment, especially when you use older versions of BIND or non-BIND servers.
All of the features mentioned are discussed in greater detail in the BIND 9 Administrator Reference Manual referenced in Section 17.2.7.1, “Installed Documentation”.
17.2.5.1. Multiple Views
Optionally, different information can be presented to a client depending on the network a request originates from. This is primarily used to deny sensitive DNS entries from clients outside of the local network, while allowing queries from clients inside the local network.
To configure multiple views, add the
view
statement to the /etc/named.conf
configuration file. Use the match-clients
option to match IP addresses or entire networks and give them special options and zone data.
17.2.5.2. Incremental Zone Transfers (IXFR)
Incremental Zone Transfers (IXFR) allow a secondary nameserver to only download the updated portions of a zone modified on a primary nameserver. Compared to the standard transfer process, this makes the notification and update process much more efficient.
Note that IXFR is only available when using dynamic updating to make changes to master zone records. If manually editing zone files to make changes, Automatic Zone Transfer (AXFR) is used.
17.2.5.3. Transaction SIGnatures (TSIG)
Transaction SIGnatures (TSIG) ensure that a shared secret key exists on both primary and secondary nameserver before allowing a transfer. This strengthens the standard IP address-based method of transfer authorization, since attackers would not only need to have access to the IP address to transfer the zone, but they would also need to know the secret key.
Since version 9, BIND also supports TKEY, which is another shared secret key method of authorizing zone transfers.
Important
When communicating over an insecure network, do not rely on IP address-based authentication only.
17.2.5.4. DNS Security Extensions (DNSSEC)
Domain Name System Security Extensions (DNSSEC) provide origin authentication of DNS data, authenticated denial of existence, and data integrity. When a particular domain is marked as secure, the
SERFVAIL
response is returned for each resource record that fails the validation.
Note that to debug a DNSSEC-signed domain or a DNSSEC-aware resolver, you can use the
dig
utility as described in Section 17.2.4, “Using the dig Utility”. Useful options are +dnssec
(requests DNSSEC-related resource records by setting the DNSSEC OK bit), +cd
(tells recursive nameserver not to validate the response), and +bufsize=512
(changes the packet size to 512B to get through some firewalls).
17.2.5.5. Internet Protocol version 6 (IPv6)
Internet Protocol version 6 (IPv6) is supported through the use of
AAAA
resource records, and the listen-on-v6
directive as described in Table 17.3, “Commonly used options”.