# /etc/bind/named.conf # # General overview: # All included files are seperated out either because they have specific # permissions (keys.conf), or because they can be autogenerated in some # cases. # ACL section # I think that most IP ACLs should probably be expressed in terms of firewall # rules, so you shouldn't need anything here. Situations where ACLs make # sense are pretty much all confined to your authoritative servers (which may # have multiple views) or certain special circumstances (to support things # like sortlist). # acl rfc1918 # { # 10.0.0.0/8; # 172.16.0.0/12; # 192.168.0.0/16; # }; # TSIG keys # You can generate the secret using the dnssec-keygen command: # dnssec-keygen -A HMAC-MD5 -b 512 -n HOST secret # and then just use the Key: field from the Ksecret*.private file that gets # generated. This secret has to be same on all of your bind installations. # key example.com. # { # algorithm hmac-md5; # secret "your-example-base64-encoded-secret-here"; # }; # This file must be owned root:bind perms 0640 include "/etc/bind/keys.conf"; # Options options { # Debian's default dir. Other OS's differ, obviously. directory "/var/cache/bind"; # Conform to RFC1035 auth-nxdomain no; # Don't generate a corefile on crash. coresize 0; # Try your forwarders first; if you can't get to them, fall back to # doing the query yourself. forward first; # Put your orgs caching servers here. # These should probably be autogenerated via DHCP; perhaps when # resolvconf is ready it will handle this sort of thing. forwarders { 10.0.0.1; 10.0.0.2; }; # Responses sent to queries from the local host will favor any of the # directly connected networks. Responses sent to queries from any other # hosts on a directly connected network will prefer addresses on that same # network. Responses to other queries will not be sorted. sortlist { { localhost; localnets; }; { localnets; }; }; }; # Logging logging { # Don't bother logging lame delegations. They are out of your control # and just clutter the logs. category "lame-servers" { null; }; }; # The "system wide" nameservers. These are used to generate an organization # wide cache, and reduces load on the roots (and reduces your external DNS # traffic). In a seperate file because you may be generating this from DHCP. # You should also specify your server TSIG relationships here, using the key # from keys.conf. # server 10.0.0.1 # { # keys # { # example.com.; # }; # }; # # If you are an authoritative server, put your master zones in here. # If you are not, simply let this file be empty. include "/etc/bind/master.conf"; # If you are a authoritative server, put your slave zones in here. # If you are not, simply let this file be empty. include "/etc/bind/slave.conf"; # Configure bind to un-break Verisign Sitefinder wildcard redirection. zone "com" { type delegation-only; }; zone "net" { type delegation-only; }; # Root server hints. This is probably not really necessary, as BIND 9 has an # internal root server cache, and it only needs one of them to be available # to work okay. Still, better safe than sorry. zone "." { type hint; file "/etc/bind/db.root"; }; # Be authoritative for the localhost forward and reverse zones, and for # broadcast zones as per RFC 1912. zone "localhost." { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa." { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa." { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa." { type master; file "/etc/bind/db.255"; };