Home
Contents

Book Fire Online by http://bookfire.net
Prev Page Next Page
 
Main Page
Table of content
Copyright
Preface
Versions
What's New in the Fourth Edition?
Organization
Audience
Obtaining the Example Programs
Contacting O'Reilly
Conventions Used in This Book
Quotations
Acknowledgments
Chapter 1. Background
1.1 A (Very) Brief History of the Internet
1.2 On the Internet and internets
1.3 The Domain Name System in a Nutshell
1.4 The History of BIND
1.5 Must I Use DNS?
Chapter 2. How Does DNS Work?
2.1 The Domain Name Space
2.2 The Internet Domain Name Space
2.3 Delegation
2.4 Name Servers and Zones
2.5 Resolvers
2.6 Resolution
2.7 Caching
Chapter 3. Where Do I Start?
3.1 Getting BIND
3.2 Choosing a Domain Name
Chapter 4. Setting Up BIND
4.1 Our Zone
4.2 Setting Up Zone Data
4.3 Setting Up a BIND Configuration File
4.4 Abbreviations
4.5 Host Name Checking (BIND 4.9.4 and Later Versions)
4.6 Tools
4.7 Running a Primary Master Name Server
4.8 Running a Slave Name Server
4.9 Adding More Zones
4.10 What Next?
Chapter 5. DNS and Electronic Mail
5.1 MX Records
5.2 What's a Mail Exchanger, Again?
5.3 The MX Algorithm
Chapter 6. Configuring Hosts
6.1 The Resolver
6.2 Sample Resolver Configurations
6.3 Minimizing Pain and Suffering
6.4 Vendor -Specific Options
Chapter 7. Maintaining BIND
7.1 Controlling the Name Server
7.2 Updating Zone Data Files
7.3 Organizing Your Files
7.4 Changing System File Locations in BIND 8 and 9
7.5 Logging in BIND 8 and 9
7.6 Keeping Everything Running Smoothly
Chapter 8. Growing Your Domain
8.1 How Many Name Servers?
8.2 Adding More Name Servers
8.3 Registering Name Servers
8.4 Changing TTLs
8.5 Planning for Disasters
8.6 Coping with Disaster
Chapter 9. Parenting
9.1 When to Become a Parent
9.2 How Many Children?
9.3 What to Name Your Children
9.4 How to Become a Parent: Creating Subdomains
9.5 Subdomains of in-addr.arpa Domains
9.6 Good Parenting
9.7 Managing the Transition to Subdomains
9.8 The Life of a Parent
Chapter 10. Advanced Features
10.1 Address Match Lists and ACLs
10.2 DNS Dynamic Update
10.3 DNS NOTIFY (Zone Change Notification)
10.4 Incremental Zone Transfer (IXFR)
10.5 Forwarding
10.6 Views
10.7 Round Robin Load Distribution
10.8 Name Server Address Sorting
10.9 Preferring Name Servers on Certain Networks
10.10 A Nonrecursive Name Server
10.11 Avoiding a Bogus Name Server
10.12 System Tuning
10.13 Compatibility
10.14 The ABCs of IPv6 Addressing
10.15 Addresses and Ports
10.16 IPv6 Forward and Reverse Mapping
Chapter 11. Security
11.1 TSIG
11.2 Securing Your Name Server
11.3 DNS and Internet Firewalls
11.4 The DNS Security Extensions
Chapter 12. nslookup and dig
12.1 Is nslookup a Good Tool?
12.2 Interactive Versus Noninteractive
12.3 Option Settings
12.4 Avoiding the Search List
12.5 Common Tasks
12.6 Less Common Tasks
12.7 Troubleshooting nslookup Problems
12.8 Best of the Net
12.9 Using dig
Chapter 13. Reading BIND Debugging Output
13.1 Debugging Levels
13.2 Turning On Debugging
13.3 Reading Debugging Output
13.4 The Resolver Search Algorithm and Negative Caching (BIND 8)
13.5 The Resolver Search Algorithm and Negative Caching (BIND 9)
13.6 Tools
Chapter 14. Troubleshooting DNS and BIND
14.1 Is NIS Really Your Problem?
14.2 Troubleshooting Tools and Techniques
14.3 Potential Problem List
14.4 Transition Problems
14.5 Interoperability and Version Problems
14.6 TSIG Errors
14.7 Problem Symptoms
Chapter 15. Programming with the Resolver and Name Server Library Routines
15.1 Shell Script Programming with nslookup
15.2 C Programming with the Resolver Library Routines
15.3 Perl Programming with Net::DNS
Chapter 16. Miscellaneous
16.1 Using CNAME Records
16.2 Wildcards
16.3 A Limitation of MX Records
16.4 Dialup Connections
16.5 Network Names and Numbers
16.6 Additional Resource Records
16.7 DNS and WINS
16.8 DNS and Windows 2000
Appendix A. DNS Message Format and Resource Records
A.1 Master File Format
A.2 DNS Messages
A.3 Resource Record Data
Appendix B. BIND Compatibility Matrix
Appendix C. Compiling and Installing BIND on Linux
C.1 Instructions for BIND 8.2.3
C.2 Instructions for BIND 9.1.0
Appendix D. Top-Level Domains
Appendix E. BIND Name Server and Resolver Configuration
E.1 BIND Name Server Boot File Directives and Configuration File Statements
E.2 BIND 4 Boot File Directives
E.3 BIND 8 Configuration File Statements
E.4 BIND 9 Configuration File Statements
E.5 BIND Resolver Statements
Colophon
Index
Index SYMBOL
Index A
Index B
Index C
Index D
Index E
Index F
Index G
Index H
Index I
Index J
Index K
Index L
Index M
Index N
Index O
Index P
Index Q
Index R
Index S
Index T
Index U
Index V
Index W
Index X
Index Y
Index Z
I l@ve RuBoard Previous Section Next Section

10.4 Incremental Zone Transfer (IXFR)

With dynamic update and NOTIFY, our zones are updated according to the changing state of the network, and those changes quickly propagate to all the authoritative name servers for those zones. The picture's complete, right?

Not quite. Imagine you run a large zone that's dynamically updated with frightening frequency. That's easy to envision: you might have a big zone to begin with, including thousands of clients, when all of a sudden management decides to implement Windows 2000 and DHCP. Now each of your clients updates its own address record in the zone, and the Domain Controllers update the records that tell clients which services they run. (There's much more to come on Windows 2000 in Chapter 16.)

Each time your primary master name server receives an update that increments the zone's serial number, it sends a NOTIFY announcement to its slaves. And each time they receive NOTIFY announcements, the slaves check the serial number of the zone on their master server and, possibly, transfer the zone. If that zone is large, the transfer will take some time—another update could arrive in the interim. Your slaves could be transferring zones in perpetuity! At the very least, your name servers will spend a lot of time transferring the whole zone when the change to the zone is probably very small (e.g., the addition of a client's address record).

Incremental zone transfer, or IXFR for short, solves this problem by allowing slave name servers to tell their master servers which version of a zone they currently hold and to request just the changes to the zone between that version and the current one. This can reduce the size and duration of a zone transfer dramatically.

An incremental zone transfer request has a query type of IXFR instead of AXFR (the type of query that initiates a full zone transfer), and it contains the slave's current SOA record from the zone in the authority section of the message. When the master name server receives an incremental zone transfer request, it looks for the record of the changes to the zone between the slave's version of the zone and the version the master holds. If that record is missing, the master sends a full zone transfer. Otherwise, it sends just the differences between the versions of the zone.

10.4.1 IXFR Limitations

Sound good? It is! But IXFR has a few limitations that you should know about. First, IXFR didn't work well until BIND 8.2.3. All BIND 9 name servers have IXFR implementations that work well and interoperate with BIND 8.2.3.

Next, IXFR works best when you're only modifying your zone data with dynamic updates. Dynamic updates leave a record of the changes made to the zone and the serial number changes they correspond to—exactly what a master name server needs to send to a slave that requests IXFR. But a BIND primary master name server that reloads an entire zone data file can't compute the differences between that zone and the previous zone. Nor can a BIND slave that gets a full zone transfer figure out what changed between that zone and the last.

This means that, to take maximum advantage of IXFR, you should modify your zone only by using dynamic update, and never edit the zone data file by hand.

10.4.2 IXFR Files

BIND 8 name servers maintain an IXFR log of changes to the zone separate from the dynamic update log file. Like the dynamic update log file, the IXFR log file is updated every time the name server receives an update. Unlike the dynamic update log file, the IXFR log file is never deleted, though the name server can be configured to trim it when it exceeds a particular size. The name of the BIND 8 IXFR log file, by default, is the name of the zone data file with .ixfr appended to it.

BIND 9 name servers use the dynamic update log file, or journal file, to assemble IXFR responses and to maintain the integrity of the zone. Since a primary master name server never knows when it may need the record of a particular change to the zone, it doesn't delete the journal file. A BIND 9 slave deletes the journal file if it receives an AXFR of the zone, since it now has a fresh full zone transfer and no longer needs to keep track of incremental changes to the last full zone transfer.

10.4.3 BIND 8 IXFR Configuration

Configuring IXFR in BIND 8 is fairly straightforward. First, you need an options substatement called maintain-ixfr-base on your master name server that tells it to maintain IXFR log files for all zones—even those the name server is a slave for, since those in turn may have slaves that want IXFRs:

options {
	directory "/var/named";
	maintain-ixfr-base yes;
};

Then you need to tell your slaves to request IXFRs from that master name server. You do that with a new server substatement, support-ixfr :

server 192.249.249.3 {
	support-ixfr yes;
};

That's about it, unless you want to rename the IXFR log file on the master. That's done with a new zone statement, ixfr-base :

zone "movie.edu" {
	type master;
	file "db.movie.edu";
	ixfr-base "ixfr.movie.edu";
};

Oh, and you can configure the name server to trim the IXFR log file after it exceeds a particular size:[5]

[5] Before BIND 8.2.3, you need to specify the number of bytes, rather than just "1M," because of a bug.

options {
	directory "/var/named";
	maintain-ixfr-base yes;
	max-ixfr-log-size 1M;     // trim IXFR log to 1 megabyte
};

Once the IXFR log file exceeds the specified limit by 100 KB, the name server trims it back to that size. The 100 KB of "slush" prevents the log file from reaching the limit and then being trimmed back after each successive update.

Using the many-answers zone transfer format can make zone transfers even more efficient. Take a look at Section 10.12.1.6 for details.

10.4.4 BIND 9 IXFR Configuration

It's even easier to configure IXFR in a BIND 9 master name server because you don't have to do a thing: it's on by default. If you need to turn it off for a particular slave server (and you probably won't, since a slave must request an incremental zone transfer), use the provide-ixfr server substatement, which defaults to yes :

server 192.249.249.1 {
	provide-ixfr no;
};

You can also use provide-ixfr as an options substatement, in which case it applies to all slaves that don't have an explicit provide-ixfr substatement of their own in a server statement.

Since BIND 9 master name servers send many-answers zone transfers by default, you don't need any special transfer-format configuration.

More useful is the request-ixfr substatement, which can be used in either an options or a server statement. If you have a mix of IXFR-capable and IXFR-impaired masters, you can tailor your slave's zone transfer requests to match the capabilities of its masters:

options {
	directory "/var/named";
	request-ixfr no;
};

server 192.249.249.3 {
	request-ixfr yes;     // of our masters, only terminator supports IXFR
};

BIND 9 doesn't support the max-ixfr-log-sizesubstatement.

    I l@ve RuBoard Previous Section Next Section
    Linking to Www Google.Com. Host by Book Fire